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OBAMACARE IMPLEMENTATION: THE 
ROLLOUT OF HEALTHCARE.GOV 


Wednesday, November 13, 2013 

House of Representatives 

Committee on Oversight and Government Reform, 

Washington, D.C. 

The committee met, pursuant to call, at 9:35 a.m., in Room 2154, 
Rayburn House Office Building, Hon. Darrell E. Issa [chairman of 
the committee] presiding. 

Present: Representatives Issa, Mica, Turner, Duncan, McHenry, 
Jordan, Chaffetz, Walberg, Lankford, Amash, Gosar, Meehan, 
DesJarlais, Gowdy, Farenthold, Lummis, Woodall, Massie, Collins, 
Meadows, Bentivolio, DeSantis, Cummings, Maloney, Norton, 
Tierney, Clay, Lynch, Cooper, Connolly, Cartwright, Duckworth, 
Kelly, Davis, Welch, Cardenas, Horsford, and Lujan Grisham. 

Also Present: Representative Kelly. 

Staff Present: Richard A. Beutel, Majority Senior Counsel; Brian 
Blase, Majority Professional Staff Member; Molly Boyl, Majority 
Deputy General Counsel and Parliamentarian; Lawrence J. Brady, 
Majority Staff Director; Joseph A. Brazauskas, Majority Counsel; 
Caitlin Carroll, Majority Deputy Press Secretary; Sharon Casey, 
Majority Senior Assistant Clerk; Steve Castor, Majority General 
Counsel; John Cuaderes, Majority Deputy Staff Director; Adam P. 
Fromm, Majority Director of Member Services and Committee Op- 
erations; Linda Good, Majority Chief Clerk; Meinan Goto, Majority 
Professional Staff Member; Tyler Grimm, Majority Professional 
Staff Member; Frederick Hill, Majority Staff Director of Commu- 
nications and Strategy; Christopher Hixon, Majority Chief Counsel 
for Oversight; Michael R. Kiko, Majority Legislative Assistant; 
Mark D. Marin, Majority Deputy Staff Director of Oversight; Laura 
L. Rush, Majority Deputy Chief Clerk; Peter Warren, Majority Leg- 
islative Policy Director; Rebecca Watkins, Majority Communica- 
tions Director; Krista Boyd, Minority Deputy Director of Legisla- 
tion/Counsel; Aryele Bradford, Minority Press Secretary; Yvette 
Cravins, Minority Counsel; Susanne Sachsman Grooms, Minority 
Deputy Staff Director/Chief Counsel; Jennifer Hoffman, Minority 
Communications Director; Chris Knauer, Minority Senior Investi- 
gator; Elisa LaNier, Minority Director of Operations; Una Lee, Mi- 
nority Counsel; Juan McCullum, Minority Clerk; Leah Perry, Mi- 
nority Chief Oversight Counsel; Dave Rapallo, Minority Staff Direc- 
tor; Daniel Roberts, Minority Staff Assistant/Legislative Cor- 
respondent; Valerie Shen, Minority Counsel; Mark Stephenson, Mi- 
nority Director of Legislation; and Cecelia Thomas, Minority Coun- 
sel. 
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Chairman ISSA. The committee will come to order. 

The Oversight and Government Reform Committee exists to se- 
cure two fundamental principles: first, Americans have a right to 
know that the money Government takes involuntarily from them is 
well spent and, second, Americans deserve an efficient, effective 
Government that works for them. Our duty on the Oversight and 
Government Reform Committee is to, in fact, protect these rights. 
Our solemn responsibility is to hold Government accountable to 
taxpayers, because taxpayers have a right to know that the money 
Government takes from them is well spent. It is our job to work 
tirelessly in partnership with citizen watchdogs to deliver the facts 
to the American people and bring genuine reform to the Federal 
bureaucracy. 

Three and a half years ago, closer to four, in a partisan vote, the 
House of Representatives passed the Patient Protection Affordable 
Care Act, commonly referred to as ObamaCare. The Act gave this 
Administration more than three years to implement; it gave them 
virtually unlimited money; it ensured them that, for all practical 
purposes, they need not come back to Congress ever again because 
they created an entitlement, one that raised its own money, spent 
its own money, created its own rules. 

The 2400 pages that were passed into law, and then read after- 
wards, now represent tens of thousands of pages of regulations that 
were created by this Administration based on how this Administra- 
tion wanted a law interpreted, meaning that legislation created 
three and a half years ago was still being written in late Sep- 
tember. 

The cornerstone of the President’s signature achievement in- 
cluded a website, Healthcare.gov. This site, and parallel sites cre- 
ated by some States, were supposed to make it easy to have an on- 
line marketplace. It was, in fact, an attempt to duplicate what hun- 
dreds, perhaps thousands, of insurance companies, large and small, 
around America do well every day. 

On October 1st, President Obama said using it would be as easy 
as buying an airline ticket on Kayak.com or buying a television on 
Amazon. This is an insult to Amazon and Kayak. On the day of the 
launch, President Obama should have known the harsh lesson we 
have all learned since that time, and that was they weren’t ready. 
They weren’t close to ready. This wasn’t a small mistake. This 
wasn’t a scaling mistake. This was a monumental mistake to go 
live and effectively explode on the launchpad. 

For American people, ObamaCare is no longer an abstraction, 
and it is a lot more than a website. For millions of Americans, it 
is about losing insurance the President promised you can keep, pe- 
riod. For many Americans, it is about premiums going up, when 
you were promised they would go down by $2500. 

Big businesses lobbied and received an ObamaCare waiver this 
year. However, the individual, the taxpayer, the citizen, the only 
real recipient of health care, did not. Individuals still have to pay 
a penalty if they don’t have insurance that meets a Federal stand- 
ard, a standard of what your Government, your nanny State be- 
lieves, in fact, you must have. The penalty is still in effect, and 
even if new exchanges don’t function. The penalty is in effect even 
if you planned on keeping the health care you wanted, period, and 
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discovered it is now gone, or have yet to discover, because ulti- 
mately, if you are on an employer plan, you may not yet have 
found out that your employer either cannot afford or cannot receive 
the health care you have grown accustomed to. 

The specific reason we are here today is a narrow part of this 
committee’s oversight and legislative authority. It is, in fact, to ex- 
amine the failures of what should have been an IT success story. 
Nearly $600 million, three and a half years, is larger than Kayak 
ever dreamed of having to set up their website. It is larger than 
eBay spent in the first many years of a much more complex site 
that auctions, in real-time, millions and millions of products a year. 

We are here to examine the failure of technology not because the 
technology was so new and innovative, not because this was a 
moon shot, not because we needed Lockheed Martin and Rockwell 
to come in and invent some new way to propel a ship to the moon; 
but because we have discovered, and will undoubtedly continue to 
discover, that efforts were taken to cut corners to meet political 
deadlines at the end, that for political reasons rules were not cre- 
ated in a timely fashion, that in fact the rules that should have 
been created at the time of the passage of the law or shortly there- 
after in many cases were still being given to programmers in Sep- 
tember of this year. 

Now, I recognize that there are divisions on this committee, as 
there were when ObamaCare became law. Many members, includ- 
ing myself, believe that there was and is a health care crisis in 
America. It is a crisis of affordability. And insurance is simply a 
way to score what that affordability is, not to drive down the cost. 
Many members, including myself, opposed this new law because we 
thought it wouldn’t work and it had no systems to actually reduce 
the cost of health care from the provider. 

My friends on the other side may correctly note, as I will here, 
that many Americans are benefitting from ObamaCare at the cost 
of trillions of dollars over a 10-year period. I certainly hope so. But 
divisions over whether or not taxpayer money taken and pushed 
back out to needy who are trying to afford health care is not the 
subject today. 

Unfortunately, during the first two years of the ObamaCare law, 
under Speaker Pelosi, there was no effective oversight. Oversight 
was shut down during the first two years of the Obama Adminis- 
tration, and the Minority pointing out anything was ignored. Under 
my chairman, we have tried to correct that, but we have been dis- 
appointed by continued obstruction by the Minority on this com- 
mittee, defending the Administration even when it has failed to de- 
liver the relevant documents, and they find themselves objecting to 
hearings, witness requests, and constantly engage in petty 
downplaying of what in fact are a serious problem. 

The Minority today will undoubtedly point out that this must be 
political, that we are not here because only 1100 people at a time 
could get on to a website before it crashed, effectively, when 
250,000 needed to get on it because it was the law and they were 
mandated. We are not here for that reason, the Minority will say; 
we are here because this is political. 

This committee, on a bipartisan basis, has offered legislation 
that, if the Senate had taken up it and the President had sup- 
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ported and signed it and it had been implemented in this project, 
undoubtedly many of the mistakes made we would find would not 
be made. In fact, the lack of budget authority for a single point on 
a project of this sort, conducted and overseen by somebody who had 
a success story in similar operations rising to the level of a $600 
million multi-committee, multi-State website, if that person had 
been there and in charge, I have no doubt that person would not 
be with us today because that site would be up and running. 

On October 10th I joined with Senator Lamar Alexander, a mem- 
ber of the minority in the Senate who finds himself unable to get 
answers, asking Secretary Sebelius to provide documents related to 
Healthcare.gov. Unfortunately, on October 28th, a month in to 
ObamaCare, I was forced to issue a subpoena because of a lack of 
response from the Administration. To date, HHS has not produced 
a single responsive document to this committee. 

In contrast, the committee has received far more cooperation, 
transparency, and document production, receiving over 100,000 rel- 
evant documents, from the private sector, from contractors working 
on this project, the very contractors who were blamed on day one 
as their fault, not a single political appointee’s fault, not Obama’s 
fault. 

I know the ranking member and I could fill an entire hearing 
with discussions about our differences, and I have no doubt, in 
short order, he will air many of them. But for this hearing I think 
we can find agreement. The agreement would be simple: whether 
you like ObamaCare or not, taxpayer dollars were wasted, precious 
time was wasted, the American people’s promise of ObamaCare, in 
fact, does not exist today in a meaningful way because best prac- 
tices, established best practices of our Government were not used 
in this case. 

Now, our Government must quickly grasp the lessons of what 
happened here in ObamaCare’s Healthcare.gov project to better 
and more effectively implement underlying policy changes so this 
won’t happen again. The investigations of this committee have re- 
ceived testimony and have paid documents indicating many prob- 
lems that led to the disastrous failure to launch on October 1st. 
The committee has learned that numerous missed deadlines and ig- 
noring of integrated security testing requirements are still a prob- 
lem for this system. 

The ranking member gave to me, and I will put it in the record, 
a letter very concerned that some of the documents we received 
from contractors, if they got in public hands, would be a roadmap 
to the security flaws that exist in ObamaCare’s website today. It 
is our committee’s decision that those documents will not be re- 
leased, that we will carefully ensure that any material given to us 
by anyone that would help hackers discover more quickly the flaws 
in ObamaCare’s website are not made public. 

But let us understand the ranking member’s statement in that 
letter says more than I could say, and that is, on the day of the 
launch, and even today, there are material failures in the security 
of the ObamaCare website, meaning that even though we may not 
put out the roadmap, hackers, if they can get on a website that 
only accommodates 1100 people at a time, hackers in fact may have 
already or may soon find those vulnerabilities. They may soon find 
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your social security number or your sensitive information because 
there was no integrated security testing before the launch. And 
MITRE Corporation and others pointed this out in time for the 
launch to not have occurred until security concerns were properly 
vetted. 

The last known security test conducted by the records we have 
been given — and, again, given by contractors, because the Adminis- 
tration has failed to be in any way honest or transparent in pro- 
ducing documents — show that in mid-September, at least as to the 
Federal marketplace segment of the site, they identified significant 
findings of risk. Documents from the contractor MITRE identified 
a chaotic testing environment. 

According to Mr. Henry Chao, the top operational officer for the 
marketplace, Administration delays in issuing regulations created 
a compressed time frame for building the IT infrastructure. We 
know, for example, that HHS did not issue any regulations in the 
three months prior to November 2012 election. 

Yes, I am saying that it seems sad that you pass a law in the 
first few months of an administration and, yet, it seems that regu- 
lations came to a halt so they would not be out there in the mar- 
ketplace during the President’s re-elect. Two years is too long after 
a law that has mandates before you go and tell the American peo- 
ple and the website producers what they must do. 

This committee has learned that a complete integrated security 
testing did not occur, meaning test the pieces, but do not test the 
entire product was one of the faults at the launch. That heightens 
the risk of unauthorized access, non-encrypted data, identify theft, 
and the loss of personal identifiable information. This is not this 
committee’s opinion; this is testimony. 

The director of CMS stated he was not even aware of some test- 
ing results that showed serious security problems in the weeks be- 
fore the October 1st launch. He testified these results should have 
been shared with him and said the situation was disturbing. HHS 
offered no further explanation for nearly two weeks, until after the 
committee made a redacted version of the key memo public. 

At a briefing last week, Tony Trenkle, CMS Chief Information 
Officer, told investigators he normally signs the authority to oper- 
ate memos to launch CMS IT projects. In this case, however, and 
wisely, he determined that he would not sign the Healthcare.gov 
document, and in fact required a less qualified and obviously erro- 
neous signature by Marilyn Tavenner to occur on that document. 

Now, that is kicking it upstairs because you know it isn’t any 
good. And although I appreciate a CIO not signing a document for 
a site that wasn’t ready, I think at the same time we must recog- 
nize that there should have been public objection to Marilyn 
Tavenner signing that document for a website that clearly was not 
ready for prime time. 

Additionally, today we are hearing from a distinguished panel of 
witnesses, and I recognize some of the witnesses, particularly Mr. 
Park, are busy elsewhere trying to get this site operational. But 
since we have been in the neighborhood of six weeks into the 
launch, I trust that hundreds or, if necessary, thousands of the 
right people have most of their marching orders and that, in fact, 
it is time for Congress, on any committee of jurisdiction, to look 
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over the shoulder of the Administration to ask both what went 
wrong and, today, not just ask do you promise, on November 30th, 
to make it right, but will you in fact commit to the changes in law 
that would ensure this doesn’t happen again. 

I don’t hold this committee hearing today to sell IT reform. This 
committee has already done its job to sell IT reform. However, it 
is essential that you understand that when Mr. Cummings and I 
make public billions of dollars worth of failed IT programs, the 
American people often get a small snippet in the newspaper. So 
today I think the American people should know this isn’t the $600 
million unique event. If it were, it would be a different hearing. 
This is part of a pattern that occurs due to failure to adhere to the 
private sector’s world-class standards for web production. This is a 
pattern that includes Schedule C political appointees being more 
involved than career professionals. This is a pattern that has to 
stop. 

Among our witnesses today will be Mr. Dave Powner, a Govern- 
ment Accountability Officer and an expert in, in fact, what those 
practices should have been and what failed on Healthcare.gov. I 
might note for all he is, in fact, a career professional, a non- 
partisan, and an individual who doesn’t work for me, doesn’t work 
for the ranking member, but works for the American people. 

I will do the rest of my introduction when the time comes. I now 
will yield to the ranking member. 

Mr. Cummings. Thank you very much, Mr. Chairman. 

Good morning to everyone and welcome to our witnesses who are 
here with us today. I want you to know that I appreciate your serv- 
ice and, on behalf of a grateful Congress, we thank you. I thank 
you for your dedication to ensuring that millions of Americans who 
do not have health insurance will be able to obtain quality afford- 
able coverage going forward. This is an incredibly admirable goal, 
and I thank you for everything you are doing to make it a reality. 

Unfortunately, not everyone in this room shares this very impor- 
tant goal. Republicans opposed the Affordable Care Act in 2009 and 
voted against providing health insurance to millions of Americans. 
Over the past three years they have voted more than 40 times to 
repeal parts or all of the law and eliminate health insurance for 
people across the Country. Since they failed at these repeal efforts, 
they blocked requests for full funding to implement the law. This 
forced Federal agencies to divert limited funds from other areas. 

Republican governors refused to set up State exchanges, forcing 
the Federal Government to bear more of the workload. And to 
make a political point against the Affordable Care Act, Republican 
governors refused Federal funds to expand their Medicaid pro- 
grams to provide medical care for the poor, increasing the burden 
on their own State hospitals. To me, this is one of the most inex- 
plicable actions I have ever witnessed from elected representatives 
against their own people, the people who elect them; their neigh- 
bors, their family members, their friends, the grocer, the mortician. 

After all of these efforts, House Republicans shut down the entire 
Federal Government for three weeks in October. Three weeks shut 
down the Government. They threatened to default on our national 
debt unless we repealed the Affordable Care Act. Again, this effort 
failed. 
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Now they are attempting to use the congressional oversight proc- 
ess to scare Americans away from the website by once again mak- 
ing unsupported assertions about the risk to their personal medical 
information. Let me be clear. The Centers for Medicare and Med- 
icaid Services and its contractors failed to fully deliver what they 
were supposed to deliver, and congressional oversight of those fail- 
ures is absolutely warranted. But nobody in this room, nobody in 
this Country believes that Republicans want to fix the website. 

For the past three years the number one priority of congressional 
Republicans has been to bring down this law, and that goal, ladies 
and gentlemen, has not changed. Today they complain that their 
constituents are waiting too long on Healthcare.gov to sign up for 
insurance. But is there a solution to fix the website? No. It is to 
repeal the Affordable Care Act and eliminate health insurance for 
millions of Americans. 

While repealing the Affordable Care Act indeed would reducing 
waiting times on the website, it would increase waiting times in 
our Nation’s emergency rooms. 

Mr. Chairman, over the past month, instead of working in a bi- 
partisan manner to improve the website, you have politicized this 
issue by repeatedly making unfounded allegations. In my opinion, 
these statements have impaired the committee’s credibility. For ex- 
ample, on October 27th, you went on national television and ac- 
cused the White House of ordering CMS to disable the so-called 
Anonymous Shopper function in September for political reasons: to 
avoid “sticker shock.” That allegation is totally wrong. 

We have now reviewed documents and interviewed the CMS offi- 
cials who made that decision, and it was based on defects in the 
contractor’s work, not on a White House political directive. 

Last Thursday you issued a press release with this blaring head- 
line: “Healthcare.gov Could Only Handle 1,100 Users the Day Be- 
fore Launch.” This claim is wrong. You apparently based your alle- 
gation on misinterpretation of the documents we received, which 
relate to a sample testing environment. I believe the witnesses will 
expound upon that today. 

Most troubling of all was your allegation against one of our wit- 
nesses today, Todd Park, the Chief Technology Officer of the 
United States of America. You went on national television and ac- 
cused him of engaging in a “pattern of interference and false state- 
ments.” Mr. Park is widely respected by the technology community 
as an honest and upstanding professional. In my opinion, your ac- 
cusations denigrated his reputation with absolutely no, absolutely 
no legitimate basis. As I said to my letter to you on Monday, I be- 
lieve your statements crossed the line and I think you owe Mr. 
Park an apology, not a subpoena. 

The unfortunate result of this approach is that we may miss an 
opportunity to do some very good work. Our committee has done 
significant substantive and bipartisan work on Federal IT reform, 
and I applaud you for your leadership in that. And I go back to the 
word, it was indeed bipartisan. We joined in to do what this com- 
mittee is supposed to do, to look at the facts, to seek the truth, the 
whole truth, and nothing but the truth, and then bring about re- 
form. 
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Under the leadership above you and our Democratic information 
technology expert, Mr. Connolly of Virginia, last March we passed 
the Federal Information Technology Acquisition Reform Act. This 
bill would increase the authority of agency CIOs and provide them 
with budget authority over Federal IT programs, including hiring. 
We did that together. We did that in a bipartisan way. We put poli- 
tics aside, rolled up our sleeves, and worked together to construc- 
tively address these challenges. I hope that that is what today’s 
hearing is all about. 

And I again thank our witnesses, who I know are working very 
hard to achieve these goals. 

With that, I yield back. 

Chairman ISSA. I thank the gentleman. 

Members may have seven days in which to submit opening state- 
ments and other extraneous material. 

I now ask that my entire opening statement be placed in the 
record. Without objection, so ordered. 

I now ask that the letter from Mr. Cummings, dated November 
6, 2013, to me be placed in the record. Without objection, so or- 
dered. 

Chairman ISSA. I will now go to our panel of witnesses. We wel- 
come our first panel of witnesses: 

Mr. Dave Powner is the Director of Information Technology Man- 
agement Issues at the Government Accountability Office. 

Mr. Henry Chao is the Deputy Director of the Office of Informa- 
tion Services at the Center for Medicare and Medicaid Services, 
today probably called CMS for the rest of the day, and Deputy 
Chief Information Officer at CMS. 

Mr. Frank Baitman is the Chief Information Officer at the De- 
partment of Health and Human Services, normally called HHS. 

Mr. Todd Park is the Chief Technology Officer of the United 
States. 

Mr. Steve VanRoekel is the Chief Information Officer of the 
United States. 

Pursuant to the rules, as many of you who have not been here 
before will see, I would ask that you all rise to take a sworn oath. 
Please raise your right hands. 

Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing but 
the truth? 

[Witnesses respond in the affirmative.] 

Please be seated. 

Let the record reflect that all witnesses answered in the affirma- 
tive. 

Now, this is a large panel and it is going to be a long day, and 
I suspect witnesses will be asked questions by both sides of the 
aisle, so I would ask that since your entire opening statements will 
be placed in the record verbatim, that you adhere to the time clock 
and come to a halt as quickly as possible when it hits red. Please 
understand yellow is not an opportunity to start a new subject, it 
is an opportunity to wrap up. 

With that, we will go to our distinguished guest from the GAO, 
Mr. Powner. 
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WITNESS STATEMENTS 

STATEMENT OF DAVID A. POWNER 

Mr. Powner. Chairman Issa, Ranking Member Cummings, and 
members of the committee, we appreciate the opportunity to testify 
on best practices that help agencies deliver complex IT acquisi- 
tions. In July I testified before Chairman Mica’s subcommittee on 
15 failed IT projects and other troubled projects, and now we are 
faced with one of the more visible troubled IT projects in 
Healthcare.gov. These complex projects can be delivered success- 
fully when there is appropriate accountability, transparency, over- 
sight, expertise, and program management. 

We issued a prior report that showcases seven successful IT ac- 
quisitions and what allowed them to be delivered successfully. This 
morning I would like to highlight best practices from that report 
and others that would have made a difference with Healthcare.gov. 
I would like to start by highlighting the importance of FITAR, Mr. 
Chairman, specifically those sections that increase CIO authorities 
and strengthen IT acquisition practices. 

Starting with accountability. Key IT executives need to be ac- 
countable with appropriate business leaders responsible for the 
project. This needs to start with the department CIOs and for 
projects of national importance includes the president CIO. At 
HHS, CIO authority is an issue GAO reported on just last week. 

Transparency. The IT Dashboard was put in place in June of 
2009 to highlight the status and CIO assessments of approximately 
700 major IT investments across 27 departments. About $40 billion 
are spent annually on these 700 investments and public dissemina- 
tion of each project’s status is intended to allow OMB and the Con- 
gress to hold agencies accountable for results in performance. Sur- 
prisingly, recent Dashboard assessments on Healthcare.gov pri- 
marily showed a green CIO rating. But, interestingly, in March the 
rating was red, so something was wrong at that time. 

Third, oversight. Both OMB, department and agency oversight 
and governance are important so executives are aware of project 
risks and assure that they are effectively mitigated. We have 
issued reports on OMB and agency TechStat sessions highlighting 
the importance of these meetings and their excellent results, pri- 
marily halting, rescoping, and redirecting troubled projects. We 
have also recommended that more TechStats needs to occur on 
troubled and risky projects. We are not aware that Healthcare.gov 
was subject to a TechStat review. 

Fourth, expertise. It is extremely important to project success 
that program staff have the necessary knowledge and skills. This 
applies to a number of areas, including program management, en- 
gineering, architecture, systems integration, and testing. 

Fifth, program management. Several best practices increase the 
likelihood that IT acquisitions will be delivered on time, within 
budget, and with the functionality promised. This starts with get- 
ting your requirements right by involving end-users, having reg- 
ular communication with contractors throughout the acquisition 
process, and adequately testing the system, including integration 
end-to-end and user acceptance. 
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There are a number of key questions that can be asked of any 
IT acquisition to ensure that appropriate accountability, trans- 
parency, oversight expertise, and program management is in place, 
and these most definitely pertain to Healthcare.gov. These include: 

What role is OMB playing in ensuring that this major acquisition 
is on track and specifically how involved is the Federal CIO? 

Is the department and agency CIO accountable and actively in- 
volved in managing risks? 

Is the acquisition status accurate, timely, and transparent as dis- 
played on the IT Dashboard? 

Are OMB and agency oversight and governance appropriate? 

Were governance or TechStat meetings held with the right execu- 
tives? 

Were key risks addressed and was there appropriate follow-up? 

Does the agency have the appropriate expertise to carry out its 
program management role and other roles it is to perform? In the 
case of Healthcare.gov, a key question is whether CMS has the ca- 
pabilities to act as the systems integrator. 

And, finally, is the program office following best practices 
throughout the acquisition life cycle, starting with how the project 
is defined to how it is tested and deployed for operations? This 
would include security testing, assessment, and authorization. 

In summary, Mr. Chairman, OMB and agencies can do more to 
ensure that the Government’s annual 80-plus billion dollar invest- 
ment in IT has the appropriate accountability, oversight, trans- 
parency, and best practices to deliver vital services to the American 
taxpayers. 

This concludes my statement. Thank you for your continued over- 
sight in Federal IT issues. 

[Prepared statement of Mr. Powner follows:] 
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INFORMATION TECHNOLOGY 

Leveraging Best Practices to Help Ensure Successful 
Major Acquisitions 


What GAO Found 

Information technology (IT) acquisition best practices have been developed by 
both industry and the federal government. For example, the Software 
Engineering Institute has developed highly regarded and widely used guidance 
on best practices, such as requirements development and management, risk 
management, validation and verification, and project monitoring and control. 
GAO’s own research in IT management best practices led to the development of 
the Information Technology Investment Management Framework, which 
describes essential and complementary IT investment management disciplines, 
such as oversight of system development and acquisition management, and 
organizes them into a set of critical processes for successful investments. 

GAO also recently reported on the critical factors underlying successful IT 
acquisitions. Officials from federal agencies identified seven investments that 
were deemed successfully acquired in that they best achieved their respective 
cost, schedule, scope, and performance goals. Agency officials identified nine 
common factors that were critical to the success of three or more of the seven 
investments. 


Common Critical Success Factors and Number of Agencies Reporting 

Critical success factor 

Number of 
investments 
reporting 

Program officials were actively engaged with stakeholders 

7 

Program staff had the necessary knowledge and skills 

6 

Senior department and agency executives supported the programs 

6 

End users and stakeholders were involved in the development of requirements 

5 

End users participated in testing of system functionality prior to formal end user 
acceptance testing 

5 

Government and contractor staff were consistent and stable 

4 

Program staff prioritized requirements 

4 

Program officials maintained regular communication with the prime contractor 

4 

Programs received sufficient funding 

3 


Source: GAO analysis of agency data. 


Officials from ail seven investments cited active engagement with program 
stakeholders as a critical factor to the success of those investments. Agency 
officials stated that stakeholders regularly attended program management office 
sponsored meetings; were working members of integrated project teams; and 
were notified of problems and concerns as soon as possible. 

Additionally, officials from six investments indicated that knowledge and skills of 
the program staff, and support from senior department and agency executives 
were critical to the success of their programs. Further, officials from five of the 
seven selected investments identified having the end users test and validate the 
system components prior to formal acceptance testing for deployment as critical 
to the success of their program. These critical factors support the Office of 
Management and Budget’s (OMB) objective of improving the management of 
large-scale IT acquisitions across the federal government; wide dissemination of 
these factors could complement OMB’s efforts. 

United States Government Accountability Office 
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Chairman issa, Ranking Member Cummings, and Members of the 
Committee: 

I am pleased to be here today to discuss the importance of key aspects of 
the federal government’s acquisition of information technology (IT) 
investments. As reported to the Office of Management and Budget 
(OMB), federal agencies plan to spend at least $82 billion on IT in fiscal 
year 2014. Given the size of these investments and the criticality of many 
of these systems to the health, economy, and security of the nation, it is 
important that federal agencies successfully acquire these systems— that 
is, ensure that the systems are acquired on time and within budget, and 
that they deliver the expected benefits and functionality. 

However, as we have previously reported and testified, federal IT projects 
too frequently incur cost overruns and schedule slippages while 
contributing little to mission-related outcomes. 1 During the past several 
years, we have issued multiple reports and testimonies on federal 
initiatives to acquire and improve the management of IT investments. 2 In 
those reports, we made numerous recommendations to federal agencies 
and OMB to further enhance the management and oversight of IT 
programs. 


’See, for example, GAO, Information Technology: OMB and Agencies Need to More 
Effectively Implement Major Initiatives to Save Billions of Dollars, GAO-1 3-796T, 
(Washington, D.C.: July 25, 2013); Secure Border Initiative: DHS Needs to Reconsider Its 
Proposed Investment in Key Technology Program, GAO-1 0-340 (Washington, D.C.: May 
5, 2010); and Polar-Orbiting Environmental Satellites: With Costs Increasing and Data 
Continuity at Risk, Improvements Needed in Tri-agency Decision Making, GAO-09-564 
(Washington, D.C.: June 17, 2009). 

2 See, for example, GAO, Information Technology: Additional Executive Review Sessions 
Needed to Address Troubled Projects, GAO-13-524 (Washington, D.C.: June 13, 2013); 
Data Center Consolidation: Strengthened Oversight Needed to Achieve Billions of Dollars 
in Savings, GAO-1 3-627T (Washington, D.C.: May 14, 2013); Data Center Consolidation: 
Strengthened Oversight Needed to Achieve Cost Savings Goal, GAO-13-378 
(Washington, D.C.: Apr. 23, 2013); Information Technology Dashboard: Opportunities 
Exist to Improve Transparency and Oversight of Investment Risk at Select Agencies, 
GAO-13-98 (Washington. D.C.; Oct. 16, 2012); Data Center Consolidation: Agencies 
Making Progress on Efforts, but Inventories and Plans Need to Be Completed, 
GAO-12-742 (Washington, D.C.: July 19, 2012); Information Technology: Continued 
Attention Needed to Accurately Report Federal Spending and Improve Management, 
GAO-11 -831 T (Washington, D.C.; July 14, 2011); and Information Technology: Investment 
Oversight and Management Have Improved but Continued Attention Is Needed, 

GAO-1 1-454T (Washington, D.C.: Mar. 17, 2011). 


Page 1 


GAO-14-183T 



14 


As part of its response to our prior work, OMB deployed a public website 
in 2009, known as the IT Dashboard, which provides detailed information 
on federal agencies' major IT investments, 3 including assessments of 
actual performance against cost and schedule targets (referred to as 
ratings) for approximately 700 major federal IT investments. In addition, 
OMB has initiated other significant efforts following the creation of the 
Dashboard. For example, OMB began leading reviews — known as 
TechStat Accountability Sessions (TechStats) — of selected IT 
investments to increase accountability and improve performance. Further, 
in 201 1 we reported on the critical factors underlying successful federal 
major IT acquisitions. 4 In that report, we identified seven successful 
investment acquisitions and nine common factors critical to their success. 

As discussed with committee staff, I am testifying today on IT acquisition 
best practices, with a focus on the results of our report on the critical 
success factors of major IT acquisitions. 5 Accordingly, my testimony 
specifically focuses on those success factors and their importance to 
improving IT investment oversight and management. I will also address 
several initiatives put into place by OMB to address the transparency of IT 
investments and to review troubled projects. All work on which this 
testimony is based was performed in accordance with all sections of 
GAO's Quality Assurance Framework that were relevant to our objectives. 
The framework requires that we plan and perform the engagement to 
obtain sufficient and appropriate evidence to meet our stated objectives 
and to discuss any limitations in our work. We believe that the information 
and data obtained, and the analysis conducted, provide a reasonable 
basis for any findings and conclusions in this product. A more detailed 


According to OMB guidance, a major IT Investment Is a system or an acquisition 
requiring special management attention because it: has significant importance to the 
mission or function of the agency, a component of the agency, or another organization; is 
for financial management and obligates more than $500,000 annually; has significant 
program or policy implications; has high executive visibility; has high development, 
operating, or maintenance costs; is funded through other than direct appropriations; or is 
defined as major by the agency’s capital planning and investment control process, 

4 GAO, Information Technology: Critical Factors Underlying Successful Major Acquisitions, 
GAO-12-7 (Washington, D.C.: Oct. 21, 2011). 

5 GAO-12-7. 
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discussion of the objectives, scope, and methodology of this work is 
included in each of the reports on which this testimony is based. 6 


Background 


Information technology should enable government to better serve the 
American people. However, according to OMB, despite spending more 
than $600 billion on IT over the past decade, the federal government has 
achieved little of the productivity improvements that private industry has 
realized from IT. 7 Too often, federal IT projects run over budget, behind 
schedule, or fail to deliver promised functionality. In combating this 
problem, proper oversight is critical. 

Both OMB and federal agencies have key roles and responsibilities for 
overseeing IT investment management and OMB is responsible for 
working with agencies to ensure investments are appropriately planned 
and justified. However, as we have described in numerous reports, 8 
although a variety of best practice documentation exists to guide their 
successful acquisition, federal IT projects too frequently incur cost 
overruns and schedule slippages while contributing little to mission- 
related outcomes. 


e GAO- 13-524; GAO, Information Technology Reform: Progress Made; More Needs to Be 
Done to Complete Actions and Measure Results, GAO-12-461 (Washington, D.C.: Apr. 
26, 2012); IT Dashboard: Accuracy Has Improved, and Additional Efforts Are Under Way 
to Better Inform Decision Making, GAO-12-210 (Washington, D.C.: Nov. 7, 2011); 
GAO-12-7; Information Technology: OMB Has Made Improvements to Its Dashboard, but 
Further Work Is Needed by Agencies and OMB to Ensure Data Accuracy, GAO-1 1-262 
(Washington, D.C.; Mar. 15, 2011); and Information Technology: OMB's Dashboard has 
Increased Transparency and Oversight, but Improvements Needed, GAO-10-701 
(Washington, DC.: July 16, 2010). 

7 OMB, 25 Point Implementation Plan to Reform Federal Information Technology 
Management ( Washington, D.C.: December 2010). 

8 See, for example, GAO, FEMA: Action Needed to Improve Administration of the National 
Flood Insurance Program, GAO-1 1-297 (Washington, D.C.: June 9, 2011); GAO-10-340; 
Secure Border Initiative: DHS Needs to Address Testing and Performance Limitations 
That Place Key Technology Program at Risk, GAO-10-158 (Washington, D.C.: Jan. 29, 
2010); and GAO-09-564. 
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IT Acquisition Best 
Practices Have Been 
Identified by Industry and 
Government and Promoted 
by Legislation 


IT acquisition best practices have been developed by both industry and 
the federal government. For example, the Software Engineering Institute 9 
has developed highly regarded and widely used guidance 10 on best 
practices, such as requirements development and management, risk 
management, configuration management, validation and verification, and 
project monitoring and control. This guidance also describes disciplined 
project management practices that call for the development of project 
details, such as objectives, scope of work, schedules, costs, and 
requirements against which projects can be managed and executed. In 
the federal government, GAO's own research in IT management best 
practices led to the development of the Information Technology 
Investment Management Framework , 11 which describes essential and 
complementary IT investment management disciplines, such as oversight 
of system development and acquisition management, and organizes them 
into a set of critical processes for successful investments. This guidance 
further describes five progressive stages of maturity that an agency can 
achieve in its investment management capabilities, and was developed 
on the basis of our research into the IT investment management practices 
of leading private- and public-sector organizations. GAO has also 
identified opportunities to improve the role played by Chief Information 
Officers (CIO) in IT management . 12 In noting that federal law provides 
CIOs with adequate authority to manage IT for their agencies, GAO also 
reported on limitations that impeded their ability to exercise this authority. 
Specifically, CIOs have not always had sufficient control over IT 
investments; more consistent implementation of CIOs' authority could 
enhance their effectiveness. 


°The Software Engineering Institute is a federally funded research and development 
center operated by Carnegie Mellon University. Its mission is to advance software 
engineering and related disciplines to ensure the development and operation of systems 
with predictable and improved cost, schedule, and quality. 

10 See, for example, Carnegie Mellon Software Engineering Institute, Capability Maturity 
Model® Integration for Development (CMMI-DEV), Version 1.3 (November 2010); and 
Carnegie Mellon Software Engineering institute, Capability Maturity Model® Integration for 
Acquisition (CMMI-ACQ), Version 1.3 (November 2010). 

^GAO, Executive Guide: Information Technology Investment Management , A Framework 
for Assessing and Improving Process Maturity , GAO-04-394G (Washington, D.C.: March 
2004). 

1? GAO Federal Chief Information Officers : Opportunities Exist to Improve Role in 
Information Technology Management. GAO-11-634 (Washington, D.C.: Sept. 15, 2011). 


Page 4 


GAO-14-183T 



17 


Congress has also enacted legislation that reflects IT management best 
practices. For example, the Clinger-Cohen Act of 1996, which was 
informed by GAO best practice recommendations, 13 requires federal 
agencies to focus more on the results they have achieved through IT 
investments, while concurrently improving their IT acquisition processes. 
Specifically, the act requires agency heads to implement a process to 
maximize the value of the agency's IT investments and assess, manage, 
and evaluate the risks of its IT acquisitions. 14 Further, the act establishes 
CIOs to advise and assist agency heads in carrying out these 
responsibilities. 15 The act also requires OMB to encourage agencies to 
develop and use best practices in IT acquisition. 16 

Additionally, the E-Government Act of 2002 established a CIO Council, 
which is led by the Federal CIO, to be the principal interagency forum for 
improving agency practices related to the development, acquisition, and 
management of information resources, including sharing best practices. 17 

Although these best practices and legislation can have a positive impact ' 
on major IT programs, we have previously testified that the federal 
government continues to invest in numerous failed and troubled 
projects. 16 We stated that while OMB's and agencies’ recent efforts had 
resulted in greater transparency and oversight of federal spending, 
continued leadership and attention was necessary to build on the 
progress that had been made. 


13 GAO, Executive Guido: Improving Mission Performance Through Strategic Information 
Management and Technology: Learning from Leading Organizations, GAO/AiMD-94-1 15 
(Washington, D.C.: May 1994) See also, GAO, Executive Guide: Measuring Performance 
and Demonstrating Results of Information Technology Investments, GAO/AIMD-98-89 
(Washington, D.C.: March 1998); and Managing Technology: Best Practices Can Improve 
Performance and Produce Results, GAO/T-AIMD-97-38 (Washington, D.C.: January 
1997). 

H 40 U.S.C. §11312. 

15 40 U.S.C. § 11315 and 44 U.S.C. 3506(a)(2)(A). 

10 4Q U.S.C. §11302(0. 

17 44 U.S.C. § 3603. The Federal CIO is the presidential designation for the Administrator 
of the OMB Office of E-Government, which was also established by the E-Govemment 
Act, 44 U.S.C. § 3602. 

1e GAO-13-796T. 
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In an effort to end the recurring cycle of failed IT projects, this committee 
has introduced legislation to improve IT acquisition management. 19 
Among other things, this legislation would 


• increase the authority of agency CIOs, 

• eliminate duplication and waste in IT acquisition, and 

• strengthen and streamline IT acquisition management practices. 


We have previously testified in support of this legislation. 20 


OMB Has Several 
Initiatives Under Way to 
Improve the Oversight and 
Management of IT 
Investments 


OMB plays a key role in helping federal agencies manage their 
investments by working with them to better plan, justify, and determine 
how much they need to spend on projects and how to manage approved 
projects. 

In June 2009, OMB established the IT Dashboard to improve the 
transparency into and oversight of agencies' IT investments. According to 
OMB officials, agency CIOs are required to update each major investment 
in the IT Dashboard with a rating based on the CIO’s evaluation of certain 
aspects of the investment, such as risk management, requirements 
management, contractor oversight, and human capital. According to 
OMB, these data are intended to provide a near real-time perspective of 
the performance of these investments, as well as a historical perspective. 
Further, the public display of these data is intended to allow OMB, 
congressional and other oversight bodies, and the general public to hold 
government agencies accountable for results and progress. 


In January 2010, the Federal CIO began leading TechStat sessions— 
reviews of selected IT investments between OMB and agency 
leadership — to increase accountability and transparency and improve 
performance. OMB has identified factors that may result in an investment 
being selected for a TechStat session, such as — but not limited to — 


19 f/je Federal Information Technology Acquisition Reform Act, introduced as H.R. 1232 
(Mar. 18, 2013), passed by the House on June 14, 2013, as Div. E, H.R. 1960, National 
Defense Authorization Act for Fiscal Year 2014. 

20 GAO-13-796T and Data Centers and The Cloud, Part II: The Federal Government's 
Take on Optimizing New Information Technologies Opportunities to Save Taxpayers 
Money, Before the H.R. Subcommittee on Government Operations of the Committee on 
Oversight and Government Reform, 1 13th Cong. 10-12 (2013) (statement of U.S. 
Government Accountability Office Director of Information Technology Management issues 
David A. Powner). 
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evidence of (1) poor performance; (2) duplication with other systems or 
projects; (3) unmitigated risks; and (4) misalignment with policies and 
best practices. 

OMB reported that as of April 201 3, 79 TechStat sessions had been held 
with federal agencies. According to OMB, these sessions enabled the 
government to improve or terminate IT investments that were 
experiencing performance problems. For example, in June 2010 the 
Federal CIO led a TechStat on the National Archives and Records 
Administration's (NARA) Electronic Records Archives investment that 
resulted in six corrective actions, including halting fiscal year 2012 
development funding pending the completion of a strategic plan. Similarly, 
in January 201 1 , we reported that NARA had not been positioned to 
identify potential cost and schedule problems early, and had not been 
able to take timely actions to correct problems, delays, and cost increases 
on this system acquisition program. 21 Moreover, we estimated that the 
program would likely overrun costs by between $205 and $405 million if 
the agency completed the program as originally designed. We made 
multiple recommendations to the Archivist of the United States, including 
establishing a comprehensive plan for all remaining work, improving the 
accuracy of key performance reports, and engaging executive leadership 
in correcting negative performance trends. 

Drawing on the visibility into federal IT investments provided by the IT 
Dashboard and TechStat sessions, in December 2010, OMB issued a 
plan to reform IT management throughout the federal government over an 
18-month time frame. 22 Among other things, the plan noted the goal of 
turning around or terminating at least one-third of underperforming 
projects by June 201 2. The plan contained two high-level objectives: 

• achieving operational efficiency, and 


21 GAO, Electronic Records Archive: National Archives Needs to Strengthen Its Capacity 
to Use Earned Value Techniques to Manage and Oversee Development , GAO-1 1-86 
(Washington, D.C.: Jan. 13, 2011). 

22 OMB, 25 Point Implementation Plan to Reform Federal Information Technology 
Management (Washington, D.C.: December 2010). 
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. effectively managing large-scale IT programs. 23 

To achieve operational efficiencies, the plan outlined actions required to 
adopt cloud solutions and leverage shared services. To effectively 
manage IT acquisitions, the plan identified key actions, such as improving 
accountability and governance and aligning acquisition processes with 
the technology cycle. Our April 2012 report 24 on the federal government’s 
progress on implementing the plan found that not all action items had 
been completed. These findings are discussed in greater detail later in 
the next section. 


Prior GAO Work Has 
Reported on OMB’s IT 
Investment Oversight and 
Management 


We have previously reported that OMB has taken significant steps to 
enhance the oversight, transparency, and accountability of federal IT 
investments by creating its IT Dashboard, by improving the accuracy of 
investment ratings, and by creating a plan to reform federal IT. However, 
we also found issues with the accuracy and data reliability of cost and 
schedule data, and recommended steps that OMB should take to improve 
these data. 


• In July 2010, we reported 25 that the cost and schedule ratings on 
OMB's Dashboard were not always accurate for the investments we 
reviewed, because these ratings did not take into consideration 
current performance. As a result, the ratings were based on outdated 
information. We recommended that OMB report on its planned 
changes to the Dashboard to improve the accuracy of performance 
information and provide guidance to agencies to standardize 
milestone reporting. OMB agreed with our recommendations and, as 
a result, updated the Dashboard's cost and schedule calculations to 
include both ongoing and completed activities. 


23 The plan also outlined five subordinate goals. The high-level objective of achieving 
operational efficiency aligns with the goal of applying light technology and shared 
solutions (e.g., cloud computing, shared services across the government, and 
consolidation of multiple organizations’ data centers). The high-level objective of 
effectively managing large-scale IT programs aligns with the other four goals: 
strengthening program management; aligning the budget process with the technology 
cycle; streamlining governance and improving accountability; and increasing engagement 
with industry. 

24 GAO-12-461. 

25 GAO-1 0-701. 
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. Similarly, our report in March 201 1 26 noted that OMB had initiated 
several efforts to increase the Dashboard’s value as an oversight tool 
and had used its data to improve federal IT management. However, 
we also reported that agency practices and the Dashboard's 
calculations contributed to inaccuracies in the reported investment 
performance data. For instance, we found missing data submissions 
or erroneous data at each of the five agencies we reviewed, along 
with instances of inconsistent program baselines and unreliable 
source data. As a result, we recommended that the agencies take 
steps to improve the accuracy and reliability of their Dashboard 
information, and that OMB improve how it rates investments relative 
to current performance and schedule variance. Most agencies 
generally concurred with our recommendations and three have taken 
steps to address them. OMB agreed with our recommendation for 
improving ratings for schedule variance. It disagreed with our 
recommendation to improve how it reflects current performance in 
cost and schedule ratings, but more recently made changes to 
Dashboard calculations to address this while also noting challenges in 
comprehensively evaluating cost and schedule data for these 
investments. 

• Subsequently, in November 201 1 , we noted 27 that the accuracy of 
investment cost and schedule ratings had improved since our July 
201 0 report because OMB refined the Dashboard’s cost and schedule 
calculations. Most of the ratings for the eight investments we reviewed 
as part of our November 201 1 report were accurate, although we 
noted that more could be done to inform oversight and decision 
making by emphasizing recent performance in the ratings. We 
recommended that the General Services Administration comply with 
OMB’s guidance for updating its ratings when new information 
becomes available (including when investments are rebaselined). The 
agency concurred and has since taken actions to address this 
recommendation. Since we previously recommended that OMB 
improve how it rates investments, we did not make any further 
recommendations. 


26 GAO-1 1-262. 
™GIKOA2-2-\Q. 
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• Further, in April 201 2, we reported 28 that OMB and key federal 
agencies had made progress on implementing actions items from its 
plan to reform IT management, but found that there were several 
areas where more remained to be done. Specifically, we reviewed 1 0 
actions and found that 3 were complete, while 7 were incomplete. For 
example, we found that OMB had reformed and strengthened 
investment review boards, but had only partially issued guidance on 
modular development. Accordingly, we recommended, among other 
things, that OMB ensure that the action items called for in the plan be 
completed by the responsible parties prior to the completion of the 
plan's 18-month deadline of June 2012, or if the June 2012 deadline 
could not be met, by another clearly defined deadline. OMB agreed to 
complete the key action items. 

. Finally, we reviewed OMB’s efforts to help agencies address IT 
projects with cost overruns, schedule delays, and performance 
shortfalls in June 201 3. ffl In particular, we reported that OMB used 
CIO ratings from the Dashboard, among other sources, to select at- 
risk investments for reviews known as TechStats. 30 OMB initiated 
these reviews in January 2010 to further improve investment 
performance, and subsequently incorporated the TechStat model into 
its plan for reforming IT management. We reported that OMB and 
selected agencies had held multiple TechStat sessions but additional 
OMB oversight was needed to ensure that these meetings were 
having the appropriate impact on underperforming projects and that 
resulting cost savings were valid. Among other things, we 
recommended that OMB require agencies to address their highest- 
risk investments and to report on how they validated the outcomes. 
OMB generally agreed with our recommendations, and stated that it 
and the agencies were taking appropriate steps to address them. 


28 GAO-12-461- 
29 GAO-1 3-524. 

30 TechStat sessions are face-to-face meetings to terminate, halt, or turnaround IT 
investments that are failing or are not producing results. 
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Critical Factors 
Underlying Successful 
Major Acquisitions 


Subsequent to the launch of the Dashboard and the TechStat reviews, 
and to help the federal agencies address the well-documented acquisition 
challenges they face, in 201 1 , 31 we reported on nine common factors 
critical to the success of IT investment acquisitions. Specifically, we 
reported that department officials from seven agencies each identified a 
successful investment acquisition, in lhat they best achieved their 
respective cost, schedule, scope, and performance goals. To identify 
these investments, we interviewed officials from the 10 departments with 
the largest planned IT budgets in order for each department to identify 
one mission-critical, major IT investment that best achieved its cost, 
schedule, scope, and performance goals. Of the 10 departments, 7 
identified successful IT investments, for a total of 7 investments. 32 
Officials from the 7 investments cited a number of success factors that 
contributed to these investments’ success. 


According to federal department officials, the following seven investments 
(shown in table 1) best achieved their respective cost, schedule, scope, 
and performance goals. The estimated total life-cycle cost of the seven 
investments is about $5 billion. 


3, GAO-12-7. 

3z The three departments that were unable to identify an IT investment that met the criteria 
for this engagement were the Departments of Agriculture, Health and Human Services, 
and Justice. The Departments of Agriculture and Health and Human Services each 
identified systems that they stated met our criteria; however, we did not agree that the 
systems selected were mission-critical. Justice stated that it had identified an investment 
that met our criteria; however, it was unable to locate key documentation and evidence 
needed for our review. 
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Table 1: tT Investments Identified as Successful by Federal Departments 


Dollars in millions 

Department 

Managing agency 

Investment 

Total estimated 
life-cycle costs 

Commerce 

Census Bureau 

Decennial Response 
Integration System 

$1,050.0 

Defense 

Defense Information 
Systems Agency 

Global Combat Support 
System-Joint Increment 

7 

$249.9 

Energy 

National Nuclear 

Security 

Administration 

Manufacturing 

Operations 

Management Project 

$41.3 

Homeland 

Security 

U.S. Customs and 
Border Protection 

Western Hemisphere 
Travel Initiative 

$2,000.0 

Transportation 

Federal Aviation 
Administration 

Integrated Terminal 
Weather System 

$472.5 

Treasury 

Internal Revenue 
Service 

Customer Account Data 
Engine 2 

$1,300.0 
(Transition States 

1 and 2) 

Veterans Affairs 

Veterans Health 
Administration 

Occupational Health 
Record-keeping System 

$34.4 


Source: Agency data 


Among these seven IT investments, officials identified nine factors as 
critical to the success of three or more of the seven. The factors most 
commonly identified include active engagement of stakeholders, program 
staff with the necessary knowledge and skills, and senior department and 
agency executive support for the program. These nine critical success 
factors are consistent with leading industry practices for IT acquisitions. 
Table 2 shows how many of the investments reported the nine factors 
and selected examples of how agencies implemented them are discussed 
below. A more detailed discussion of the investments' identification of 
success factors can be found in our 201 1 report. 33 


33 GAO-12-7. 
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Table 2: Number of Selected Investments Identifying Critical Success Factors 


Critical success factor 

Number of 
investments 
reporting 

Program officials were actively engaged with stakeholders 

7 

Program staff had the necessary knowledge and skills 

6 

Senior department and agency executives supported the programs 

6 

End users and stakeholders were involved in the development of 
requirements 

5 

End users participated in testing of system functionality prior to formal 
end user acceptance testing 

5 

Government and contractor staff were consistent and stable 

4 

Program staff prioritized requirements 

4 

Program officials maintained regular communication with the prime 
contractor 

4 

Programs received sufficient funding 

3 


Source: GAO analysis of agency data. 


Officials from all seven selected investments cited active engagement 
with program stakeholders — individuals or groups (including, in some 
cases, end users) with an interest in the success of the acquisition — as a 
critical factor to the success of those investments. Agency officials stated 
that stakeholders, among other things, reviewed contractor proposals 
during the procurement process, regularly attended program 
management office sponsored meetings, were working members of 
integrated project teams , 34 and were notified of problems and concerns as 
soon as possible. In addition, officials from the two investments at 
National Nuclear Security Administration and U.S. Customs and Border 
Protection noted that actively engaging with stakeholders created 
transparency and trust, and increased the support from the stakeholders. 

Additionally, officials from six of the seven selected investments indicated 
that the knowledge and skills of the program staff were critical to the 
success of the program. This included knowledge of acquisitions and 


w OMB defines an integrated project team as a multi-disciplinary team led by a project 
manager responsible and accountable for planning, budgeting, procurement, and life-cycle 
management of the investment to achieve its cost, schedule, and performance goals. 
Team skills include budgetary, financial, capital planning, procurement, user, program, 
architecture, earned value management, security, and other staff as appropriate. 
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procurement processes, monitoring of contracts, large-scale 
organizational transformation, Agile software development concepts , 35 
and areas of program management such as earned value management 
and technical monitoring. 

Finally, officials from five of the seven selected investments identified 
having the end users test and validate the system components prior to 
formal end user acceptance testing for deployment as critical to the 
success of their program. Similar to this factor, leading guidance 
recommends testing selected products and product components 
throughout the program life cycle . 36 Testing of functionality by end users 
prior to acceptance demonstrates, earlier rather than later in the program 
life cycle, that the functionality will fulfill its intended use. If problems are 
found during this testing, programs are typically positioned to make 
changes that are less costly and disruptive than ones made later in the 
life cycle would be. 

In summary, the expanded use of these critical IT acquisition success 
factors, in conjunction with industry and government best practices, 
should result in the more effective delivery of mission-critical systems. 
Further, these factors support OMB's objective of improving the 
management of large-scale IT acquisitions across the federal 
government, and wide dissemination of these factors could complement 
OMB's efforts. While OMB’s and agencies' recent efforts have resulted in 
greater transparency and oversight of federal spending, continued 
leadership and attention are necessary to build on the progress that has 
been made. By improving the accuracy of information on the IT 
Dashboard, and holding additional TechStat reviews, management 
attention can be better focused on troubled projects and establishing 
clear action items to turn these projects around or terminate them. 
Further, legislation such as that proposed by this committee can play an 
important role in increasing the authority of agency CIOs and improving 


35 Agile software development is not a set of tools or a single methodology, but a 
philosophy based on selected values, such as prioritizing customer satisfaction through 
early and continuous delivery of valuable software; delivering working software frequently, 
from every couple of weeks to every couple of months; and making working software the 
primary measure of progress. For more information on Agile software development, see 
http;//www,agilealliance.org. 

36 See for example, Carnegie Mellon Software Engineering Institute, Capability Maturity 
Model® Integration for Acquisition (CMMI-ACQ), Version 1,3 (November 2010). 
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federal IT acquisition management practices. Overall, the implementation 
of our numerous recommendations regarding key aspects of IT 
acquisition management can help OMB and federal agencies continue to 
improve the efficiency and transparency with which IT investments are 
managed, in order to ensure that the federal government's substantial 
investment in IT is being wisely spent. 


Chairman Issa, Ranking Member Cummings, and Members of the 
Committee, this completes my prepared statement. I would be pleased to 
respond to any questions that you may have at this time. 
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Chairman ISSA. Thank you. 
Mr. Chao. 


STATEMENT OF HENRY CHAO 

Mr. Chao. Good morning, Chairman Issa, Ranking Member 
Cummings, and members of the committee. Since the passage of 
the Affordable Care Act, CMS has been hard at work to design, 
build, and test secure systems that ensure Americans are able to 
enroll in affordable health care coverage. 

I serve as CMS’s Deputy Chief Information Officer and I am a 
career civil servant that has 20 years working at CMS on Medicare 
and Medicaid systems of varying skills. My role has been to guide 
the technical aspects of the Marketplace development and imple- 
mentation to Federally-facilitated a Marketplace eligibility enroll- 
ment systems in the data services Hub. 

I work closely with the private sector’s contractors building these 
IT components of Healthcare.gov. I also work closely with my col- 
leagues in CMS who handle other IT and policy aspects of the site, 
including the Center for Consumer Information and Insurance 
Oversight, which manages the business operations and makes pol- 
icy decisions that relate to Healthcare.gov; the chief information of- 
ficer who oversees the account creation on Healthcare.gov through 
management of a shared service called the Enterprise Identity 
Management System; and the Office of Communications, which is 
focused on the call center operations and the user experience as- 
pects of Healthcare.gov. 

To facilitate the various key functions of the Federally-facilitate 
Marketplace, CMS contracted with QSSI to develop the Hub and 
CGI Federal to develop the Federally-facilitated Marketplace. The 
Hub facilitates the secure verification of the information a con- 
sumer provides in their Marketplace application with information 
maintained by other Federal data sources such as SSA and IRS. In 
addition to the Hub, CMS contracted with CGI Federal to build the 
Federally-facilitated Marketplace system which consumers use to 
apply for health care coverage through private qualified health 
plans and for affordability programs like Medicaid, CHIP, and ad- 
vanced premium tax credits and cost-sharing reductions. 

The Federally-facilitated Marketplace system consists of numer- 
ous modules, each of which was tested for functionality and for se- 
curity controls. Numerous test cases were used to exercise the end- 
to-end functionality of the system. We underestimated the volume 
of users who would attempt to concurrently access the system at 
any one time initially in October, and we immediately addressed 
the capacity issues in the first few days and continue to actively 
work on further improving performance and creating a better user 
experience. 

Healthcare.gov is made up of two major subdivisions. One sub- 
division is called Learn and contains information to assist and edu- 
cate consumers about the Marketplace. In addition, a premium es- 
timation tool was launched on October 10th to allow consumers to 
browse health plans without creating a Healthcare.gov account on 
the Get Insured subdivision of Healthcare.gov, which contains the 
online application for enrollment. 
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While the premium estimation tool could only sort consumers 
into two age categories when it was first launched, its functionality 
will be expanded to accommodate additional scenarios to better fit 
consumer shopping profiles. This tool is different from the FFM ap- 
plication because determinations about consumers’ eligibility for in- 
surance affordability programs, Medicaid and CHIP, are specific to 
the characteristics of an applicant and his or her household, and 
could only be calculated when an application is completed, after in- 
come, citizenship, and other information is verified. 

I know that consumers using Healthcare.gov have been frus- 
trated in these initial weeks after the site’s launch. While the Hub 
is working as intended, after the launch of the FFM online applica- 
tion, numerous unanticipated technical problems surfaced which 
have prevented some consumers from moving through the account 
creation, application, eligibility, and enrollment processes in a 
smooth and seamless manner. Some of those problems have been 
resolved and the site is functioning much better than it did ini- 
tially. Users can now successfully create an account, continue 
through the full application and enrollment processes. We are now 
able to process nearly 17,000 registrations per hour, or 5 per sec- 
ond, with no errors. Thanks to enhanced monitoring tools, we are 
now better able to see how quickly the online application is re- 
sponding and to measure how changes improve user experience on 
the site. 

We reconfigured various systems components to improve site re- 
sponsiveness, increasing performance across the site, but in par- 
ticular the viewing and filtering of health plans during the online 
shopping process. We have also made software configuration 
changes that have added capacity to improve the efficiency and ef- 
fectiveness of the system. 

CMS is committed to creating a safe, secure, and resilient IT sys- 
tem that helps expand access to quality affordable health care cov- 
erage. We are encouraged that the Hub is working as intended, 
and that the framework for a better functioning Federally-facili- 
tated Marketplace eligibility system and enrollment is in place. 

[Prepared statement of Mr. Chao follows:] 
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U. S. House Committee on Oversight and Government Reform 
“Development and Deployment ofHealthCare.gov” 

November 13, 2013 

Good morning. Chairman Issa, Ranking Member Cummings, and members of the Committee. 
Since the passage of the Affordable Care Act, the Centers for Medicare & Medicaid 
Services (CMS), in partnership with private sector contractors, has been hard at work to design, 
build, and test secure systems that ensure Americans are able to enroll in affordable health care 
coverage. I serve as CMS’s Deputy Chief Information Officer (CIO), and 1 am a career civil 
servant. As Deputy CIO, my role has been to guide the technical aspects of Marketplace 
development and implementation in accordance with all applicable laws, regulations, and 
agreements. While consumers using HealthCare.gov have been frustrated in these initial weeks 
after the site’s October 1, 2013 launch, CMS is working around the clock to address problems so 
that the site works smoothly for the vast majority of users by the end of this month. 

Overview of Marketplace Information Technology (IT) 

The Affordable Care Act directs states to establish State-based Marketplaces by January 1, 2014. 
In states electing not to establish and operate such a Marketplace, the Affordable Care Act 
requires the Federal Government to establish and operate a Marketplace in the state, referred to 
as a Federally-facilitated Marketplace. The Marketplace provides consumers access to health 
care coverage through private, qualified health plans, and consumers seeking financial assistance 
may qualify for insurance affordability programs like Medicaid, the Children's Health Insurance 
Program (CHIP), or the advance payment of the premium tax credits and cost-sharing reductions 
that can lower consumers’ upfront and out-of-pocket costs. 

Marketplace IT System Functions 

To fulfill the functions specified in the Affordable Care Act, Federally-facilitated and State- 
based Marketplaces developed eligibility and enrollment, redetermination, and appeals systems. 
In many ways, these systems are similar to what private issuers. Medicare Advantage issuers, 
and State Medicaid agencies currently use to determine eligibility, enroll applicants into health 
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coverage, process appeals, and perform customer service, as well as prevent fraud, waste, and 
abuse. 

These systems: 

• Determine a consumer’s eligibility to enroll in a qualified health plan through the 
Marketplace and for insurance affordability programs; 

• Transmit consumer information to state Medicaid/CHIP agencies or the private, qualified 
health plan issuer they have chosen; 

• Redetermine consumer eligibility status during the year, as needed; and 

• Allow individuals to appeal an eligibility determination. 

Privacy, Security, and Integrity Controls for the Marketplace IT Systems 
A key feature of the Marketplace IT systems is that they employ stringent privacy and security 
controls to safeguard consumer data. CMS developed the data services Hub and Federally- 
facilitated Marketplace eligibility and enrollment system consistent with Federal statutes, 
guidelines and industry standards that ensure the security, privacy, and integrity of systems and 
the data that flows through them. All of CMS’ IT systems — including Federal Marketplace 
systems of records and systems used to support State-based Marketplaces and Medicaid/CHIP 
agencies — are subject to the Privacy Act of 1974, the Computer Security Act of 1987, and the 
Federal Information Security Management Act of 2002 (FISMA). These systems must also 
comply with various rules, regulations, and standards promulgated by the Department of Health 
and Human Services (HHS), the Office of Management and Budget, the Department of 
Homeland Security, and the National Institute of Standards and Technology (NIST). 

Key Marketplace IT Functions 

To facilitate the back-end online eligibility and enrollment, redetermination, and appeals 
functions consumers access through HealthCare.gov, CMS developed two key tools, in 
partnership with private sector contractors. CMS contracted with QSSI to build the Hub, which 
provides an electronic connection between the eligibility systems of the Marketplace and State 
Medicaid and CHIP agencies to already existing, secure Federal and state databases to verify the 
information consumers provide in their applications for coverage. In addition, CMS contracted 
with CGI Federal to build the Federally-facilitated Marketplace eligibility and enrollment 
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system, which consumers use to create an account on HealthCare.gov, verify their identity, fill 
out an electronic application to determine their eligibility for health care coverage through 
private, qualified health plans, Medicaid, CHIP or other insurance affordability programs, choose 
a health insurance plan and ultimately enroll in health coverage. 

The Data Services Hub 

CMS designed the Hub, a routing tool that helps the Marketplace and State Medicaid and CHIP 
agencies provide accurate and timely eligibility determinations. The Hub verifies data against 
information contained in already existing, secure and trusted Federal databases. CMS has 
security and privacy agreements with all Federal agencies and states connecting to the Hub. 

These include the Social Security Administration, the Internal Revenue Service, the Department 
of Homeland Security, the Department of Veterans Affairs, Medicare, TRICARE, the Peace 
Corps and the Office of Personnel Management. The Hub increases efficiency and security by 
eliminating the need for each Marketplace, Medicaid agency, and CHIP agency to set up separate 
data connections to each database. Risk increases when the number of connections to a data 
source increase — which is why CMS has designed the Hub to minimize these risks. The Hub 
provides one highly secured connection among trusted Federal and state databases instead of 
requiring each agency to set up what could have amounted to hundreds of independently 
established connections. Further, the Hub is not a database; it does not retain or store 
information. It is a routing tool that can validate applicant information from various trusted 
Government databases through secure networks. 

Every Federal IT system must comply with rigorous standards before the system is allowed to 
operate. The Hub’s independent Security Controls Assessment was completed on 
August 23, 2013 and it received an authorization to operate on September 6, 2013. This 
authorization confirms that the Hub complies with Federal standards and that CMS implemented 
the appropriate procedures and safeguards necessary for the Hub to operate securely. 

The Hub and the Federally-facilitated Marketplace eligibility and enrollment system have several 
layers of protection in place to mitigate information security risk. For example, these 
Marketplace IT systems will employ a continuous monitoring model that will utilize sensors 
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and active event monitoring to quickly identify and take action against irregular behavior and 
unauthorized system changes that could indicate a potential incident. If a security incident 
occurs, an Incident Response capability would be activated, which allows for the tracking, 
investigation, and reporting of incidents. This allows CMS to quickly identify security incidents 
and ensure that the relevant law enforcement authorities, such as the HHS Office of Inspector 
General Cyber Crimes Unit, are notified for purposes of possible criminal investigation. As with 
all systems, the responsibility to safeguard information is an ongoing process, and CMS will 
remain vigilant throughout operations to anticipate and protect against data security concerns. 
The Marketplace IT monitoring program will continually be reviewed for effectiveness of the 
IT’s security controls, through methods that include independent penetration testing, automated 
vulnerability scans, system configuration monitoring, and active web application scanning. 

The Federally-Facilitated Marketplace Eligibility and Enrollment System 
As described above, the Affordable Care Act directs states to establish State-based Marketplaces 
by January 1, 2014. In states electing not to establish and operate such a Marketplace, the 
Affordable Care Act requires the Federal Government to establish and operate a Marketplace for 
the state, referred to as a Federally-facilitated Marketplace. CMS contracted with CGI Federal to 
build the Federally-facilitated Marketplace system, including the eligibility and enrollment 
system. This system lets consumers establish a HealthCare.gov account that they can return to at 
any point in the application process, and the system connects to the Hub to validate the 
information consumers submit. Once consumer information is verified, the eligibility and 
enrollment system forwards consumer applications to an eligibility tool to determine the 
consumer’s eligibility for Medicaid, CHIP, or tax subsidies. For those consumers eligible for tax 
subsidies, it then allows consumers to compare qualified health plans and start to enroll in the 
plan of their choosing, transferring the consumer’s information to the issuer to complete the 
enrollment process. 

Separate from the Federally-facilitated Marketplace eligibility and enrollment system on 
HealthCare.gov is a premium estimation tool, launched on October 10, 2013, that allows 
consumers to browse health plans without creating a HealthCare.gov account. While the tool 
could only sort consumers into two age categories when it was first launched, its functionality 
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will be expanded to accommodate additional scenarios to better fit consumer shopping profiles. 
This tool is different from the Federally-facilitated Marketplace application because 
determinations about consumers’ eligibility for insurance affordability programs, Medicaid, and 
CHIP are specific to the characteristics of an applicant and his or her household and can only be 
calculated when an application is completed — after income, citizenship, and other information is 
verified. 

The Federally-facilitated Marketplace eligibility and enrollment system consists of numerous 
modules. Each module of this system was tested for functionality. Each interface with our 
business partners and other Federal agencies was also tested. Numerous test cases were used to 
exercise the end-to-end functionality of the system. Given the user experience, we know now 
that we underestimated the volume of users who would attempt to log onto the system at the 
same time, and therefore our testing did not include performance testing at the volume we 
experienced at launch. 

On September 27, 2013, CMS granted authority for the Federally- facilitated Marketplace 
eligibility and enrollment system to begin operations, with authority to operate for six months. 
Consistent with security practices as required by FISMA and NIST, CMS identified a number of 
strategies that we are deploying to continue to monitor operations and mitigate any potential risk, 
including through regular additional testing. The authorization to operate the Federally- 
facilitated Marketplace eligibility and enrollment system is consistent with NIST guidance. 
FISMA and the NIST Risk Management framework permit agencies to authorize an “authority to 
operate” when there is a risk-mitigation strategy in place. To follow through on the risk 
mitigation strategy identified in the authorization to operate the Federally-facilitated Marketplace 
eligibility and enrollment system, we continue to conduct security testing on an ongoing basis as 
we add new IT functionality. 

Improvements to the Federally-facilitated Marketplace Eligibility and Enrollment System 

While the Hub is working as intended, after the launch of the Federally-facilitated Marketplace 
eligibility and enrollment system, numerous unanticipated technical problems surfaced which 
have prevented some consumers from moving through the account creation, application. 


5 



36 


eligibility, and enrollment processes in a smooth, seamless manner. Some of those problems 
have been resolved, and the site is functioning much better than it did initially. We are 
committed to fixing these problems so that the experience using the Federally-facilitated 
eligibility and enrollment system improves for the vast majority of consumers by the end of 
November 2013. 

To ensure that we make swift progress, and that the consumer experience continues to improve, 
our team called in additional help to solve some of the more complex technical issues we are 
encountering. We brought on board management expert and former CEO and Chairman of two 
publicly-traded companies, Jeff Zients, to work in close cooperation with our team to provide 
management advice and counsel to the project. We have also enlisted the help of QSSI to serve 
as a general contractor for the project. They are familiar with the complexity of the system, and 
the work they provided — the Hub — is working well and performing as it should. They are 
working with CMS leadership and contractors to prioritize the needed fixes and make sure they 
get done. 

A number of fixes have already been completed. One place where we have seen a lot of 
consumer frustration is in the ability to successfully create an account. This issue is something 
that we identified on October 1, and we have made significant progress since then to deliver a 
much smoother process for consumers. Users can now successfully create an account and 
continue through the full application and enrollment process. We are now able to process nearly 
17,000 registrants per hour, or 5 per second, with almost no errors. 

The tech team put into place enhanced monitoring tools for HealthCare.gov, enabling us to get a 
high level picture of the Federally-facilitated Marketplace eligibility and enrollment 
system. Thanks to this work, we are now better able to see how quickly pages are responding, 
and to measure how changes improve user experience on the site. 


We reconfigured various system components to improve site responsiveness. This has increased 
performance across the site, but in particular the viewing and filtering of health plans during the 
online shopping process now responds in just seconds. It was taking minutes. We have also 
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resolved issues with how the eligibility notices are presented to consumers. They now display 
properly at the completion of the application process. 

Other fixes include software configuration changes and optimization that have increased the 
efficiency of system interactions. We also added capacity by doubling the number of servers and 
have replaced the virtual database with a high-capacity physical one. This allowed us to be more 
efficient and effective in our processing time and significantly reduced the account registration 
failures. While significant work remains, these changes are already making the shopping process 
easier for consumers. 

Conclusion 

CMS is committed to creating safe, secure, and resilient IT systems that help expand access to 
the quality, affordable health coverage every American needs. We are encouraged that the Hub is 
working as intended, and that the framework for a better-functioning Federally-facilitated 
Marketplace eligibility and enrollment system is in place. By enlisting additional technical help, 
aggressively monitoring for errors, testing to prevent new issues from cropping up, and regularly 
deploying fixes to the site, we have already made significant improvements to the performance 
and functionality of the system. We expect that over the next few weeks, consumers will see 
improvements to the site each week, and that the consumer experience using the Federally- 
facilitated Marketplaces eligibility and enrollment system through HealthCare.gov will be 
greatly improved for the vast majority of users by November 30. 
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Chairman ISSA. I know this isn’t questioning time, but if you can 
tell us 17,000 are signing up per hour, then why is a subpoena 
from Ways and Means unanswered as to how many have signed 
up? Please, don’t answer yet. We will get to that. 

Mr. Baitman. 


STATEMENT OF FRANK BAITMAN 

Mr. Baitman. Good morning, Chairman Issa, Ranking Member 
Cummings, and members of this committee. My name is Frank 
Baitman, and I am the Deputy Assistant Secretary for Information 
Technology and the Chief Information Officer at the U.S. Depart- 
ment of Health and Human Services. I am pleased to join you here 
today. 

The Department of Health and Human Services is the United 
States Government’s principal agency for protecting the health of 
all Americans and providing essential human services, especially 
for those who are least able to help themselves. At the Department 
level, the Office of the Chief Information Officer serves this objec- 
tive by leading the development and implementation of an enter- 
prise-level information technology framework. HHS is committed to 
the effective and efficient management of our information resources 
in support of our public health mission, human services program, 
and the U.S. health system. 

The HHS OCIO is responsible for developing the Department’s 
policy framework for IT, including such areas as enterprise archi- 
tecture, capital planning, records management, accessibility, and 
security and privacy. For example, the security arena has a healthy 
framework that encompasses the Federal Information Security 
Management Act of 2002, OMB directives, and the National Insti- 
tute of Standards and Technology’s guidance on security and pri- 
vacy, all of which are embodied in the Department’s security poli- 
cies. 

Our information technology portfolio is sizeable, including sup- 
port to a number of grant programs that provide IT resources to 
State, local, and tribal governments in support of the programs ad- 
ministered by HHS. The Department’s portfolio also supports ev- 
erything from common and commodity IT, things like human re- 
sources, email, and accounting systems; to the mission systems 
that enable research at the National Institutes of Health; to the 
regulation of drugs and devices at the Food and Drug Administra- 
tion; and to the treatment of patients at the Indian Health Serv- 
ices’ network of clinics. 

HHS is a large department, with a diverse set of missions. Our 
operating divisions include the Administration for Children and 
Families; the Administration for Community Living; the Adminis- 
tration for Health, Research and Quality; the Centers for Disease 
Control and Prevention; the Centers for Medicare and Medicaid 
Services, known as CMS; the Food and Drug Administration; the 
Health Resources and Services Administration; the Indian Health 
Service; the National Institutes of Health; and the Substance 
Abuse and Mental Health Services Administration. That is what 
makes up HHS. And we manage our IT portfolio through a fed- 
erated governance structure. The vast majority of the Department’s 
IT resources are dedicated directly to the appropriations made to 
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our programs and operating divisions, and our governance struc- 
ture reflects that reality. Program-level IT decisions are governed 
and reviewed by our operating divisions. 

Each of HHS’s operating divisions has its own chief information 
officer, its own chief information security officer, and an IT man- 
agement structure; and management of the development of 
Healthcare.gov was comparable to management of similar IT initia- 
tives throughout the Department’s operating divisions. Indeed, 
prior IT initiatives that we are all familiar with, including Medi- 
care. gov and Medicare Part D Prescription Drug program were led 
and developed by CMS, who serves as the business owner and de- 
veloper of Healthcare. gov’s integrated eligibility and enrollment 
system for the Federally-facilitated Marketplace. 

Since I joined the Department about 18 months ago, we have 
been working to restructure and update our IT governance, bring- 
ing visibility into what the Department buys and builds across all 
of our operating divisions, and we are now in the process of putting 
in place three IT steering committees to bring together technology 
and program leaders from across the Department to improve our 
purchasing and management of IT resources. These steering com- 
mittees take a functional view of our IT portfolio. We have created 
one to oversee health and human service systems, a second to over- 
see scientific research systems, and a third for administrative and 
management systems. 

This governance structure will improve Department-wide over- 
sight of IT purchases and projects. Secretary Sebelius has been a 
strong advocate for transparency into the Department’s IT portfolio 
and this new governance structure is designed to achieve that out- 
come. Collectively, these three steering committees will provide De- 
partment-wide guidance to the operating divisions’ respective IT 
portfolios and will ensure that we identify and take advantage of 
opportunities to save taxpayer funds. 

For example, we are now in the process of establishing a Vendor 
Management Office to improve the Department’s negotiating posi- 
tion with technology vendors and to make use of enterprise-wide li- 
cense acquisitions. We are always looking for ways to consolidate 
investment systems or acquisitions to meet the Department’s broad 
IT portfolio needs more effectively and economically. In the fiscal 
year 2014 budget process, HHS identified $250 million in reduc- 
tions within our IT portfolio attributable to savings in various com- 
modity IT areas. 

Chairman ISSA. Mr. Baitman, we know how great a job you are 
doing; that is why you are here today. Could you please wrap up? 

Mr. Baitman. Sure. 

I appreciate the opportunity to be with you here today. 

[Prepared statement of Mr. Baitman follows:] 
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U. S. House Committee on Oversight and Government Reform 
“ObamaCare Implementation: The Rollout ofHealthCare.gov” 

November 13, 2013 

Good morning, Chairman Issa, Ranking Member Cummings, and members of this Committee. 
My name is Frank Baitman and 1 am the Deputy Assistant Secretary for Information Technology 
and Chief Information Officer (CIO) at the U.S. Department of Health and Human Services 
(FIHS or Department). I am pleased to join you here today. 

The Department of Health and Human Services is the United States government’s principal 
agency for protecting the health of all Americans and providing essential human services, 
especially for those who are least able to help themselves. At the Department level, the Office of 
the Chief Information Officer (OCIO) serves this objective by leading the development and 
implementation of an enterprise-level information technology (IT) framework. HHS is 
committed to the effective and efficient management of our information resources in support of 
our public health mission, human services program, and the United States health system. The 
HHS OCIO is responsible for developing the Department’s policy framework for IT, including 
such areas as enterprise architecture, capital planning, records management, accessibility, and 
security and privacy. For example, the security arena has a healthy framework that encompasses 
the Federal Information Security Management Act of 2002, OMB Directives, and the National 
Institute of Standards and Technology’s guidance on security and privacy, all of which are 
embodied in Departmental policies. Our information technology (IT) portfolio is sizable, 
including support for a number of grant programs that provide IT resources to state, local, and 
tribal governments in support of the programs administered by HHS. The Department’s 
portfolio also supports everything from common and commodity IT — things like human 
resources, email, and accounting systems — to the mission systems that enable research at the 
National Institutes of Health (NIH), regulation of drugs and devices at the Food and Drug 
Administration (FDA), and treatment at the Indian Health Services’ network of clinics. 
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HHS is a large department with a diverse set of missions. Our Operating Divisions include: the 
Administration for Children and Families, the Administration for Community Living, the 
Administration for Health Research and Quality, the Centers for Disease Control and Prevention, 
the Centers for Medicare & Medicaid Services (CMS), the Food and Drug Administration, the 
Health Resources and Services Administration, the Indian Health Service, the National Institutes 
of Health, and the Substance Abuse and Mental Health Services Administration, We manage our 
IT portfolio through a federated governance structure. The vast majority of the Department’s IT 
resources are directly tied to appropriations made to our programs and Operating Divisions, and 
our governance structure reflects this reality. Program-level IT decisions are governed and 
reviewed by our Operating Divisions. 

Each of HHS’s Operating Divisions has its own Chief Information Officer (CIO), Chief 
Information Security Officer (CISO), and IT management structure. Management of the 
development ofHealthcare.gov was comparable to management of similar IT initiatives 
throughout the Department’s Operating Divisions. Indeed, prior IT initiatives we are all familiar 
with — including Medicare.gov and the Medicare Part D prescription drug program — were led 
and developed by CMS, who serves as the business owner and developer of Healthcare.gov’s 
integrated eligibility and enrollment systems for the Federally-Facilitated Marketplace. 

Since I joined the Department about eighteen months ago, we have been working to restructure 
and update our IT governance — bringing visibility into what the Department buys and builds 
across all of our Operating Divisions. We are in the process of putting in place three IT steering 
committees to bring together technology and program leaders from across the Department to 
improve our purchasing and management oflT resources. These Steering Committees take a 
functional view of our IT portfolio, creating one to oversee health and human services systems, a 
second for scientific research systems, and a third for administrative and management systems 
and our technology infrastructure. 

This governance structure will improve Department-wide oversight of IT purchases and projects. 
Secretary Sebelius has been a strong advocate for complete transparency into the Department’s 
IT portfolio, and this new governance structure is designed to achieve that outcome. Collectively, 
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these three steering committees will provide Department-wide guidance to the Operating 
Divisions’ respective IT portfolios, and will ensure that we identify and take advantage of 
opportunities to save taxpayer funds. For example, we are in the process of establishing a Vendor 
Management Office to improve the Department’s negotiating position with technology vendors, 
and to make use of enterprise-wide license acquisitions. 

We are always looking for ways to consolidate investments, systems, or acquisitions to meet the 
Department’s broad IT portfolio needs more effectively. In the FY 2014 budget process, HHS 
identified over $250 million in reductions within our IT portfolio attributable to savings in 
various commodity IT areas, data center consolidations, simplification of redundant contracting 
vehicles, and the elimination of low-value or underperforming investments. 

Thank you for the opportunity to meet with you today. 
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Chairman ISSA. Thank you. 
Mr. Park. 


STATEMENT OF TODD PARK 

Mr. Park. Good morning, Chairman Issa, Ranking Member 
Cummings and members of the committee. Thank you for inviting 
me to testify today on the Administration’s ongoing efforts to de- 
liver on the promise of the Affordable Care Act. 

As U.S. Chief Technology Officer, housed at the Office of Science 
and Technology Policy, I serve as an advisor at the White House 
on a broad range of technology policy and strategy priorities, rang- 
ing from how technological innovation can help grow the economy 
to how to open up government data to spur innovation and entre- 
preneurship in the private sector to how the power of technology 
can be harnessed to improve health care, aid disaster relief, fight 
human trafficking, and more. In this work, I try to bring the sen- 
sibilities of the private sector tech entrepreneur that I have been 
for most of my professional life. 

As you know, October 1st was the launch of the new 
Healthcare.gov and the Health Insurance Marketplace, where peo- 
ple without health insurance, including those who cannot afford 
health insurance and those who are not part of a group plan, can 
go to get affordable coverage. 

Unfortunately, the experience on Healthcare.gov has been highly 
frustrating for many Americans. These problems are unacceptable. 
We know there is real interest from the American public in having 
easy access to the new affordable choices in the health insurance 
marketplace. I believe that as public servants we have a shared 
goal: to deliver to Americans the service they deserve and expect. 
And since the beginning of October I have shifted into working full- 
time on the team that is working around the clock to fix 
Healthcare.gov and bring it to the place it should be. 

The team is making progress. The website is getting better each 
week as we work to improve its performance, its stability, and its 
functionality. As a result, more and more individuals are success- 
fully creating accounts, logging in, and moving on to apply for cov- 
erage and shop for plans. We have much work still to do, but are 
making progress at a growing rate. 

I will be happy to try to answer any questions you may have 
about Healthcare.gov and the progress the team is making. Thank 
you very much. 

[Prepared statement of Mr. Park follows:] 
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Statement of Todd Park 
U,S. Chief Technology Officer 
Executive Office of the President 
to the 

Oversight and Government Reform Committee 
U.S. House of Representatives 
November 13, 2013 

Good morning. Chairman issa. Ranking Member Cummings, and Members of the Committee: thank you 
for inviting me to testify today on the Administration's ongoing efforts to deliver on the promise of the 
Affordable Care Act. 

As U.S. Chief Technology Officer, housed at the Office of Science and Technology Policy, I serve as an 
advisor at the White House on a broad range of technology policy and strategy priorities - ranging from 
how technological innovation can help grow the economy to how to open up government data to spur 
innovation and entrepreneurship to how the power of technology can be harnessed to improve health 
care, aid disaster relief, fight human trafficking, and more. In this work, I try to bring the sensibilities of 
the private-sector tech entrepreneur that I've been for most of my professional life. 

As you know, October 1 st was the launch of the new Healthcare.gov and the Health Insurance 
Marketplace— where people without health insurance, including those who cannot afford health 
insurance, and those who are not part of a group plan, can go to get affordable coverage. 

Unfortunately, the experience on HealthCare.gov has been highly frustrating for many Americans. 

These problems are unacceptable. We know there is real interest from the American public in having 
easy access to the new, affordable choices in the Health Insurance Marketplace. I believe that as public 
servants, we have a shared goal— to deliver to Americans the service they deserve and expect. And 
since the beginning of October, I have shifted into working full-time on the team that is working around 
the clock to fix HealthCare.gov and bring it to the place it should be. 

The team is making progress. The website is getting better each week, as we work to improve its 
performance, its stability, and its functionality. As a result, more and more individuals are successfully 
creating accounts, logging in, and moving on to apply for coverage and shop for plans. We have much 
work still to do, but are making progress at a growing rate. 

I will be happy to try to answer any questions you may have about HealthCare.gov and the progress the 
team is making. Thank you very much. 
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Chairman Issa. Thank you, Mr. Park. 

Mr. VanRoekel. 

STATEMENT OF STEVEN VANROEKEL 

Mr. VanRoekel. Good morning, Chairman Issa, Ranking Mem- 
ber Cummings, and members of this committee. Thank you for this 
opportunity to testify on the efforts to improve the management of 
Federal information technology and its relationship to the imple- 
mentation of the Affordable Care Act. 

As the Chief Information Officer of the United States, I serve as 
the Administrator of the Office of Electronic Government and Infor- 
mation Technology, a statutorily created office within the Office of 
Management and Budget. My primary duties are: developing and 
issuing Government- wide, broad-brush guidance and policy; over- 
seeing the development of the President’s $82 billion IT budget; 
and convening and facilitating Federal IT stakeholders to collec- 
tively address and resolve complex cross-Government issues. 

The results from my office have followed these themes: flat-lining 
Federal IT spending since 2009, realizing over $1 billion in savings 
since 2012 with our PortfolioStat program, and facilitating and con- 
vening agencies to work on crosscutting opportunities and policy 
such as our work on opening Government data, closing and opti- 
mizing our data centers, promoting a new wave of cloud computing. 
My office has also done important work in the area of 
cybersecurity, creating new, secure mobile device specifications for 
our Country and protecting Federal IT devices and the network. 

My involvement in the implementation of the ACA also reflects 
from my role as Federal CIO. I acted as a convener and facilitator 
of agencies to work through the technical details of the cross-agen- 
cy implementation work of the ACA, primarily yielding the cross- 
agency Data Service Hub feature of the overall system. 

As the committee is well aware, before joining the Administra- 
tion, I worked in the private sector for nearly 20 years, the major- 
ity of which was at Microsoft Corporation. I shipped and helped 
launch many complex products and well-known brands, such as 
Windows XP, Xbox, and Windows Server. The launch of each of 
these projects presented its own challenges. Microsoft is still 
patching Windows XP, 12 years after I helped launched it in 2001. 
Continuous improvement is the nature of these efforts. 

As you can imagine, connecting multiple legacy IT systems 
across multiple agencies of the Federal Government is a complex 
task; however, this is no way an excuse for the problems encoun- 
tered in launching Healthcare.gov. We are taking this unacceptable 
situation seriously and working hard to correct course. 

Since October 1st, I am actively helping in the all-hands-on-deck 
effort to assist the Department of Health and Human Services and 
the Centers for Medicare and Medicaid Services in fixing this sys- 
tem. Given my prior experience in the private sector, I acted as a 
customer advocate, helping to assess and address opportunities to 
improve the customer experience while we fix the website. Out- 
comes from this work include updates to the home page of 
Healthcare.gov and listing alternative ways to apply for health in- 
surance. Recently, I am involved in the technical aspects of the 
site, including monitoring progress and advising the team. 
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We share the deep concern of this committee regarding the cur- 
rent state of Healthcare.gov and we, as a team, are working to im- 
prove this site to improve access to affordable healthcare coverage 
as soon as possible. I look forward to continuing this work after 
this hearing. 

Thank you again for the opportunity to appear before the com- 
mittee today. 

[Prepared statement of Mr. VanRoekel follows:] 
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Good morning, Chairman Issa, Ranking Member Cummings, and Members of the 
Committee. Thank you for this opportunity to testify on the efforts to improve the management 
of Federal Information Technology (IT) and its relationship to the implementation of the 
Affordable Care Act (ACA). 

As the Chief Information Officer of the United States, I serve as the Administrator of the 
Office of Electronic Government and Information Technology, a statutorily-created office within 
the Office of Management and Budget (OMB). My primary duties are: developing and issuing 
government-wide, broad-brush guidance and policy; overseeing the development of the 
President’s $82 billion IT budget; and convening and facilitating Federal IT stakeholders to 
collectively address and resolve complex, cross-government issues. 

The results from my office have followed these themes - flat-lining Federal IT spending 
since 2009, realizing over $1 billion in savings with our PortfolioStat program, and facilitating 
and convening agencies to work on cross-cutting opportunities and policy, such as our work on 
opening Government data, closing and optimizing our data centers, and promoting a new wave 
of cloud computing. My office has also done important work in the area of cyber security 
creating new, secure mobile device specifications for our country and protecting Federal IT 
devices and the network. 

My involvement in the implementation of the ACA also reflects from my role as Federal 
CIO - 1 acted as a convener and facilitator of agencies to work through the technical details of 
the cross-agency implementation work of the ACA, primarily yielding the Data Services Hub 
feature of the overall system. 
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As the Committee is well aware, before joining the Administration, 1 worked in the 
private sector for nearly 20 years, the great majority of which was at Microsoft Corporation. I 
shipped and helped launch many complex products and well-known brands, such as Windows 
XP, Xbox and Windows Server. The launch of each of these projects presented its own 
challenges. Microsoft is still patching Windows XP, 12 years after I helped launch it in 2001 - it 
is the nature of these efforts. As you can imagine, connecting multiple, legacy IT systems across 
multiple agencies of the Federal Government is a complex task, however, this in no way excuses 
the problems encountered in launching HealthCare.gov. We are taking this unacceptable 
situation seriously and working hard to correct course. 

Since October 1 st , I am actively helping in the all-hands-on-deck effort to assist the 
Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid 
Services (CMS) in fixing this system. Given my prior experiences in the private sector, I act as a 
customer advocate, helping to assess and address opportunities to improve the customer 
experience while we fix the website. Outcomes from this work include updates to the home page 
ofHealthCare.gov and listing alternative ways to apply for health insurance. Recently, 1 am 
involved in the technical aspects of the site, including monitoring progress of the website and 
advising the team. 

We share the deep concern of this Committee regarding the current state of 
HealthCare.gov and are committed to working with HHS and CMS to improving this site to 
improve access to affordable healthcare coverage as soon as possible. I look forward to 
continuing that work. 

Thank you again for the opportunity to appear before the Committee today. 


### 
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Chairman ISSA. Thank you. 

I now ask unanimous consent that pages 151 and 152 of Mr. 
Chao’s transcribed interview be placed in the record. Without objec- 
tion, so ordered. 

Chairman ISSA. I now ask that the redacted document of CGI 
Federal, which we will call Exhibit 1, I guess, be placed in the 
record. Without objection, so ordered. 

Chairman Issa. And I now ask that the CMS document entitled 
Health Insurance Marketplace Preflight Checklist September 25th, 
2013 be placed in the record. 

Mr. Cummings. Mr. Chairman? 

Chairman Issa. Yes. 

Mr. Cummings. I just want to reserve so I can just see the docu- 
ments, that’s all. 

Chairman Issa. That is a committee document that both sides 
have. 

[Pause.] 

Chairman Issa. Without objection, so ordered. 

Chairman Issa. Mr. Chao, I am going to ask the clerk to give you 
those documents and, before I start, I am going to give you a very 
brief understanding of what I am going to come back to you on in 
just a few minutes. But you have made testimony, on pages 151 
and 152 of your transcribed interview, in a sequence of events that 
were related to the Minority’s questioning of you as to whether or 
not the Anonymous Shopper function worked on October 1st. The 
other document is related to that checklist, and we want to make 
sure you have that before I ask you any further questions under 
oath. 

While he is reading that, Mr. Park, you are here today, and 
taken away from your other duties, because of a serious concern 
about what you knew and what the Administration may have had 
you say, and I want to give you an opening opportunity to clarify 
that. After the October launch, and I will paraphrase, you basically 
said that the problem with the website was that there were 
250,000 simultaneous users; they could have handled 60,000, but 
that 250,000 simply slowed it down or brought it to its knees. 

With your opening statement, the opening statements of others, 
and what you now know, would you like to please, for the record, 
give us the number of simultaneous users you believe could have 
been handled through the portal on day one? 

Mr. Park. Thank you, Mr. Chairman, for the question. It is the 
nature of this kind of situation 

Chairman Issa. Now, Mr. Park? 

Mr. Park. Yes, sir. 

Chairman Issa. I want to treat you with respect, but I have a 
very few minutes. 

Mr. Park. Yes, sir. 

Chairman Issa. You gave a number. That number was erro- 
neous. It couldn’t handle 60,000 simultaneous users. Documents 
that will be placed in the record show that on September 30th the 
system crashed with 1100, and the goal was to get to 10,000. 
Would you like to tell us for the record, based on your working on 
this, what number the American people could simultaneously be on 
the site working on day one before the system began to time out? 



51 


Mr. Park. So, to answer as succinctly as I can, thank you for the 
question, the information that we had at the time was that CMS 
had designed the system for 50,000 to 60,000 concurrent users. 
Right now, if you ask me right now, based on what I know now, 
what the system is currently capable of handling, the thing I would 
be comfortable saying is that the system has been comfortably han- 
dling, at present, about 20,000 to 25,000 current users. 

Chairman Issa. Okay, so it is fair to say, and I will paraphrase, 
on day one, on October 1st, at the launch, some amount, perhaps 
greater than 1,100, which was experienced on September 30th, and 
closer to the goal set on September 30th, which they thought, in 
documents the committee has received, they could get to 10,000 si- 
multaneous. But on day one, on October 1st, when this site 
launched, the site was capable of handling somewhere more than 
1,100, perhaps, but less than 10,000 simultaneous users, and cer- 
tainly not the 60,000, 50,000, 20,000, or 250,000 that simulta- 
neously tried to use the site. Is that correct? 

Mr. Park. So there may be a matter of confusion here, which 
CMS may be better positioned to clarify. 

Chairman Issa. Okay. 

Mr. Park. But I believe that the 1,100 number was for a par- 
ticular unit of capacity. 

Chairman ISSA. Okay. 

Mr. Park. As opposed to the entire system. But I will defer. 

Chairman ISSA. Right. But the problem is there was a front door, 
and that unit of capacity was limited by the front door. You know, 
I come out of the IT world, I come out of the tech world, but the 
American people can understand that you are only as strong as 
your weakest link. If you have a bottleneck that causes people try- 
ing to get through the site to not be able to do it, to time out, that 
bottleneck is what determines it. And since, on day one, only 6 peo- 
ple got to the end, I think that for the American people, under- 
standing that whatever the capacity is today, the capacity was in- 
sufficient on day one. Isn’t that correct? 

Mr. Park. So, sir, just in the interest of providing the most accu- 
rate testimony I can 

Chairman Issa. I only want to know on day one was the capacity 
sufficient. 

Mr. Park. I can’t speak to the numbers that you are talking 
about. But clearly on day one, clearly on day one the system was 
overwhelmed by volume. 

Chairman Issa. Okay. Well, Mr. Park, you are going back to 
something I hoped you wouldn’t do. The volume on day one, and 
maybe the GAO can answer, the volume on day one was not in ex- 
cess of what was expected, was it? The volume on day one was 
what you would expect if everyone is going on the site to see what 
it is all about after three and a half years of waiting, isn’t it, Mr. 
Powner? 

Mr. Powner. Mr. Chairman, I don’t have those specifics, but I 
will say this: these volumes we are talking about, if you go to ex- 
amples like IRS on e-filing and the volume they handle with people 
filing taxes in the eleventh hour, this is the same problem that the 
IRS deals with on an annual basis. What you need to do is you 
need to appropriately plan for your performance in stress-testing, 
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and there is fundamental questions whether that was adequate 
here. 

Chairman Issa. Well, and that is what we are going to discover 
throughout the panel today. 

Mr. Chao, I told you I would come back to you. You testified 
under oath, on pages 151 and 152, on the Minority’s questions, that 
basically, and I will paraphrase because of time, this site, the 
Anonymous Shopper function did not work. Now, we have seen a 
document with CMS on it dated September 25th that said it passed 
that test. Is it that you did not know it had passed the test when 
you made your statement saying that it failed? 

Mr. Chao. Well, first off, Chairman, I would like to say that after 
working with your staff for eight, nine hours, as well as the Minor- 
ity staff, going through this transcribed interview, I have not had 
a chance to look at this, so this is the first time I am actually see- 
ing the results of that day, so 

Chairman ISSA. Wait a second. Look, your job is to know what 
is in the site. The CMS report that said, and this is September, be- 
fore the launch, that the test had been passed successfully on the 
Anonymous Shopper. You testified that it wasn’t and that is why 
it was turned off. 

Mr. Chao. Correct. 

Chairman Issa. Are you prepared to say under oath that the 
Anonymous Shopper was turned off by your knowledge, not your 
guess, not your hypothetical, but are you prepared to say the Anon- 
ymous Shopper was turned off because it failed the test? And that 
would be your knowledge based on what you knew. 

Mr. Chao. My words were not that it was turned on or off. I 
think that is actually technically incorrect. I said it was not made 
available because it failed testing. So you hand me this page 151, 
152, which I have not reviewed as far as correctness and accuracy, 
and I suppose you are handing me this other document that 
says 

Chairman Issa. Mr. Chao, what we are doing is we are saying 
that CMS documents show that the Anonymous Shopper tested 
positive, it worked. You said under oath, and I am sorry that you 
may not have remembered what you said under oath, but when the 
Minority asked you what is normally nice questions, self-serving 
questions, help you rehabilitate yourself questions, they are on 
your side, you said effectively that you gave a reason, which the 
ranking member used in his opening statement effectively, that the 
Anonymous Shopper was turned off for reasons other than political. 

Mr. Chao. Because I have 

Chairman Issa. We believe the Anonymous Shopper, the easy 
front door, the I just want to know what it is going to cost was not 
on, and if in fact if it was on, Mr. Park has said this had different 
components. That portion could have been much more effective. 
The American people could have gotten on and shopped. 

Mr. Chao. This line of questions that I was answering about 
Anonymous Shopper is in the context of my knowledge, under oath, 
that it did not pass testing, and I have documents that show it did 
not pass testing. 

Chairman Issa. Okay, so, when — Mr. Chao, my time has expired, 
but when HHS and CMS deliver us documents showing that it 
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hasn’t passed, we can have you back. Right now the documents 
provided to us by the vendor show that it did pass on a CMS docu- 
ment. That document is placed in the record. If anyone else would 
like to understand that you have said it failed test, they said it 
passed test. This Administration, in their absence of transparency, 
has refused to give us the documents showing it failed test, but the 
document we have today, which says CMS all over it, which is in 
the record, says it passed test. It passed the test. You said under 
oath it failed the test. Our problem is the people you work for won’t 
give us the documents so we can fully understand that, just as the 
people you work for won’t answer a simple question to the Ways 
and Means Committee, which is how many people have signed up, 
even under a subpoena. 

With that, I recognize the ranking member to try to rehabilitate 
your testimony. 

Mr. Cummings. Mr. Chairman, let me be clear that we have staff 
who work just as hard as yours. It is not about self-serving, it is 
about getting to the truth, and I would not insult your staff 

Chairman ISSA. I wasn’t insulting your staff. 

Mr. Cummings. Well, I take it as an insult. 

Chairman Issa. What I said was that 

Mr. Cummings. It is not about self-serving; it is not about reha- 
bilitating. It is about trying to get to the truth, period, the truth 
and nothing but the truth. And I am not going to try to rehabili- 
tate, as you said, Mr. Chao. 

Chairman Issa. Well, maybe you can get him to give us the docu- 
ments. 

Mr. Cummings. I think in a few moments somebody else on this 
panel will present the documents that there is something that you 
did not disclose just now that will be brought out to show that your 
statements are inaccurate. 

Now, Mr. Park 

Chairman Issa. Would the gentleman yield? 

Mr. Cummings. Of course. Somebody else will bring it up, an- 
other member. 

Chairman Issa. So somebody else will rehabilitate 

Mr. Cummings. No, no, no, no, no. No. No. No. Again, we will 
show you the document that there are some things that you have 
been blacked out that you have not disclosed, and we will show you 
those in a few minutes. 

Now, if I may proceed. 

Mr. Park, although we have not met before today, I understand 
that you have an outstanding reputation in the IT community. I 
did not know this previously, but the cofounder of your former com- 
pany is Jonathan Bush, of Athena Health, who is the cousin of 
former President George Bush, is that right? 

Mr. Park. Yes, sir. 

Mr. Cummings. I have a quote here that Mr. Bush, the cousin 
of the former president, gave to a reporter a few weeks ago, and 
he says this about you: “Todd is uniquely thoughtful, dedicated, 
and precise. He is a manic problem-solver, blind to partisanship. If 
there is anyone who can fix the problems with the exchanges, it is 
Todd.” 
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Mr. Bush also said that you are working so hard to improve the 
website that you “spent the first week of October sleeping on the 
floor of his office as he tried to help get Healthcare.gov off the 
mat.” Is that right? 

Mr. Park. Yes, sir. 

Mr. Cummings. Well, your reputation certainly precedes you. Un- 
fortunately, however, last week Chairman Issa appeared on Fox 
News and accused you and other political appointees of engaging 
in a “pattern of interference and false statements related to this 
site.” 

That is a serious attack against your integrity. I don’t want to 
get into anyone’s intent or motives here, but I do want to give you 
an opportunity to respond directly. And this is not unusual for me, 
because I realize that we are all on this Earth for a short while 
and that our reputation is all we have. And since those statements 
were made about you, I would like to give you an opportunity to 
respond. 

Mr. Park. Thank you, sir. Thank you for the opportunity. And, 
again, I don’t take any of this personally; it is a fast-moving situa- 
tion with a lot going on. So I would just say this, that it was the 
case, absolutely, that volume was a key issue that hit the site. It 
is still an issue for the site, although we have greatly expanded 
and are expanding the ability for the site to accommodate volume. 
I relayed my best understanding at the time in each of my state- 
ments. It is the nature of things that as you do more painstaking 
diagnosis of a system, you learn more about what you need to do 
to fix it, and I can say now that, in addition to volume, there are 
other key issues that have to be addressed with the site in terms 
of its performance, in terms of its stability, in terms of its 
functionality, and there are aggressive efforts happening to do that 
which are making great progress, so it is getting better and better 
each week with the work of a tremendous team led by Jeffrey 
Zients and Ms. Tavenner, of which I am proud to be a small part. 
But you have my assurance that at each part along the way, if I 
am ever asked a question, I will tell you what I know to the best 
of my ability, my best understanding, and that is what I will con- 
tinue to do as my understanding gets better and better. 

Mr. Cummings. Well, let me ask you this. Did you engage in a 
“pattern of interference and false statements?” 

Mr. Park. No, I did not. I relayed my best understanding at the 
time, and I will continue to do that. As my understanding gets bet- 
ter, I will relay that, absolutely. 

Mr. Cummings. Before you were subpoenaed to come here today, 
your office wrote a letter describing your extreme demanding work- 
load for the next two weeks and offering to testify in December in- 
stead. Was this concern coming just from your office or was it real- 
ly a legitimate concern of yours that you would be pulled away 
from the website issues to prepare for testifying here today? 

Mr. Park. So it has never been a question of if I will testify, it 
was just a question of when. It had been the hope of me and the 
team that is working to fix the site that I could continue to focus 
intensely on helping to fix the site this month and come back in 
a few weeks. That being said, I understand that the chairman 
came to a different decision. I respect that decision. I am the son 
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of immigrants from Korea. I have incredible love for this Country. 
I have huge respect for the institution of Congress and its role in 
our democracy, and if the committee wanted me to be here today 
and decided I should be here today, then I am happy to be here 
today and make the time to answer your questions. 

Mr. Cummings. Although I understand that the website 

Chairman Issa. The gentleman’s time has expired. 

Mr. Cummings. Mr. Chairman, I just ask for the same amount 
of time you had. 

Chairman Issa. I let you ask the last question after your time 
had expired, and it was completed. 

We now go to the gentleman from Florida for five minutes. 

Mr. Tierney. Mr. Chairman, I think it was about almost four 
minutes that you exceeded your time by that. Is there 

Chairman Issa. I went to one question after the end, which was 
Mr. Chao, which 

Mr. Tierney. Four minutes. I am only asking 

Chairman Issa. The gentleman is recognized. 

Mr. Tierney. Well, you are not going to run a fair hearing, you 
are just going to go out and do this all the way. 

Chairman Issa. The gentleman from Florida is recognized. 

Mr. Mica. Thank you for yielding. 

It is kind of interesting to see, as ObamaCare implodes, how ev- 
erybody is running for cover. Yesterday we saw the former Presi- 
dent of the United States, Bill Clinton, throw the current President 
under the bus, so to speak, on this issue. Today we heard the other 
side, Mr. Cummings, our Democrat leader, start out by citing that 
the problem with this is Republican governors, that a lot of them 
opted for an exchange. 

Mr. Chao, are these governors Arkansas, Delaware, Illinois, Mis- 
souri, Montana, aren’t they all Democrat governors and they opted 
out of the exchange? Are you aware of that? Well, they are, just 
for the record. But it is interesting to see how they run for cover. 

I have a question for all of you. Each of you I want to ask you 
this question. It is obvious that ObamaCare was not ready for 
prime time from both an IT performance ability and also from a se- 
curity standpoint. Were you aware of that, Mr. Powner, before Oc- 
tober 1st? 

Mr. Powner. GAO did issue a report 

Mr. Mica. Were you — okay. 

Mr. Powner. — in June that there was a lot to do in a compressed 
schedule, correct. 

Mr. Mica. Yes. 

Were you aware of it, Mr. Chao? 

Mr. Chao. Can you repeat the question again? 

Mr. Mica. That ObamaCare was not ready from an IT oper- 
ational standpoint and also from a security standpoint for prime 
time on October 1st. Were you aware of it? 

Mr. Chao. I was aware that there was security testing 

Mr. Mica. You were aware that there were problems. Okay. 

Mr. Chao. And that there were no high findings in security test- 
ing. 

Mr. Mica. I said from an operational. So you thought it was oper- 
ational. 
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Mr. Chao. I am just trying to answer your question. 

Mr. Mica. Well, operational and security. 

Mr. Baitman? 

Mr. Baitman. I was aware that various modules that were to be 
part of the system were 

Mr. Mica. Weren’t working. 

Mr. Baitman. — were being removed. 

Mr. Mica. Mr. Park, anything on security? Mr. Park, operational 
and security. 

Mr. Park. As I recall, sir, no. 

Mr. Mica. Oh, okay. 

Mr. VanRoekel? 

Mr. VanRoekel. I am aware that any system, private sector or 
public sector 

Mr. Mica. What about the security? 

Mr. VanRoekel. — needs constant addressing of security. 

Mr. Mica. What about the security issue? 

Mr. VanRoekel. Any system needs constant — security needs to 
be constantly addressed. 

Mr. Mica. Did you review a document prepared by MITRE that 
reviewed — this hasn’t been released yet, but it reviewed the secu- 
rity testing and capability? 

Mr. VanRoekel. No, sir, I didn’t see that. 

Mr. Mica. You did not see this, September 23rd, that highlighted 
some of the issues? Okay. 

First of all, it looks like political decisions got us into this strait. 
You commented, Mr. Chao, to our committee that you had to have 
regulations in place to go forward to make decisions on the con- 
struct, right? 

Mr. Chao. Correct. 

Mr. Mica. And there were regulations that were not imposed, 
and I think you also intimated that some of them were stopped by 
the White House prior to the election. 

Mr. Chao. No, I did not. 

Mr. Mica. Okay. Mr. Chao, you said the delay in the issuance 
of regulations guidance was a significant problem in compressing 
the time frame and actually the White House pressure to stop 
those regulations coming out before the election, because they 
didn’t want folks to know what was coming. You are not aware of 
that? 

Mr. Chao. Well, I think you are paraphrasing from my testi- 
mony, which I 

Mr. Mica. Okay. Well, here is your comment to our staff: You 
can’t test the system without requirements, so if requirements are 
coming in late, then obviously you are going to be a little nervous. 
Was that your statement? 

Mr. Chao. I think that holds true for any 

Mr. Mica. That is what we have. That was your statement. 
Okay, so 

Mr. Chao. My answer in the context was for any development 
project that requires requirements in order to build the system in 
a compressed time frame 

Mr. Mica. Did you know that security and the testing was done 
by MITRE, of security, is that correct? 
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Mr. Chao. MITRE and Blue Canopy. 

Mr. Mica. Okay, both respectable firms. And this is the MITRE 
report. MITRE was unable to adequately test confidentially and in- 
tegrity of the exchange system in full. Are you aware of that? 

Mr. Chao. Well, that seems actually true and appropriate, be- 
cause the full system isn’t built. 

Mr. Mica. But it was never fully tested? Has it been tested? 

Mr. Chao. No. I think what it is referring to is that there are 
other components of the Marketplace program that still need to be 
built. 

Mr. Mica. Sir, can you sit here and tell us that there are not 
heightened risk of unauthorized access, non-encrypted data, iden- 
tity theft, and loss of personal identifiable information? 

Chairman Issa. The gentleman’s time has expired. 

Mr. Chao. That was 

Mr. Mica. And Mr. Powner, can he also answer to that? 

Mr. Chao. That was my reply in response to a decision memo in 
which we wanted to generally highlight the potential risk that is 
applicable to any system of this magnitude that is servicing the 
public and collecting information about people. 

Chairman Issa. Mr. Powner, if you had anything else, briefly. 

Mr. Powner. Your staff shared that document with me. I think 
the key is that was an early assessment, not on the complete sys- 
tem, and a key question going forward is what has been done in 
terms of security testing and assessment while the system con- 
tinues to be built. 

Chairman Issa. Thank you. 

The gentlelady from New York, Mrs. Maloney. 

Mrs. Maloney. Thank you. I would like to thank all of the panel- 
ists for their public service and thank the chairman and ranking 
member for this oversight hearing. There is a success story in the 
State that I am privileged to represent, New York State. Nearly 
50,000 New Yorkers have enrolled in health insurance plans 
through the New York State health program. Almost 200,000 New 
Yorkers have completed full applications on the New York State of 
Health. Additionally, the State’s customer service center operators 
have provided assistance to more than 142,000 New Yorkers. And 
the rates for the plans represent a 53 percent reduction compared 
to the previous year’s individual rates, and in addition to the cost 
savings, it is estimated that nearly three-quarters of individual en- 
rollees will qualify for financial assistance. This is according to an 
official State report from New York. So this is certainly good news. 

But we do need improvements on the Federal user experience, 
and I would like to ask Mr. Park have improvements been made 
daily on the website? Are you working to make improvements every 
day? 

Mr. Park. Thank you so much for the question, and it is terrific 
news coming out of New York. So the answer to your question is 
people are working every day to make things better. I would say 
the site is getting better week by week. Some days are better than 
others, but if you look at the trend line, week over week things are 
getting better. So, for example, one metric of the user experience 
is what is called system response time. This is the rate at which 
the website responds to user requests like displaying a page that 
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you want. Just a few weeks ago that rate was, on average, eight 
seconds across the system, which is totally unacceptable. It is now 
actually under a second today. 

Mrs. Maloney. Well, that is really good news. How much faster 
can the public expect the website to be? Now you are under a sec- 
ond, is that what you are saying? 

Mr. Park. On average, yes. 

Mrs. Maloney. On average? 

Mr. Park. Yes. 

Mrs. Maloney. Well, can the public expect — can you make it any 
faster than a second? 

Mr. Park. Yes. The team believes that it can, the team doing 
this, and we are most of the way, I think, in terms of average re- 
sponse time that we want to be. We want to get it down further. 
We are also actually, thanks to 

Mrs. Maloney. So I would say that reducing wait time has be- 
come a priority, right? And that certainly will help enrollment 
numbers, don’t you think, Mr. Park? 

Mr. Park. That is right. Yes, ma’am. 

Mrs. Maloney. Okay, great. That is terrific. Now, are accounts 
registering properly at this time? Was that problem solved? 

Mr. Park. That problem has actually largely been solved. That 
was, of course, a significant problem up front that folks experi- 
enced. But thanks to expanded capacity, thanks to system configu- 
ration changes and code fixes, that problem has largely been 
solved. People can actually get through the front door and begin 
the application process and start shopping for affordable health op- 
tions. 

Mrs. Maloney. So how many registrations can the system han- 
dle now? Congratulations on solving that, by the way. 

Mr. Park. So I believe that the latest number the team reports 
is about 17,000 registrations an hour, and the plan is to actually 
up that in terms of new accounts being created. Then, of course, 
people who have registered previously are coming back and coming 
back and coming back to keep working on their application, shop 
for plans, etcetera. 

Mrs. Maloney. And how are you reaching out to people who may 
have been discouraged and encouraging them to come back and try 
again? Is there any effort to reach out to them or just the notices 
that it is happening? 

Mr. Park. Yes, ma’am. So CMS is currently engaged in an effort 
to begin to reach out to folks who actually got stuck in the applica- 
tion process and encouraging them to come back and make it 
through the front door and start applying for coverage. 

Mrs. Maloney. Are there resources there to help people navigate 
the process? I am hearing they are confused often. Is there any re- 
sources there to help them figure it out? 

Mr. Park. Yes, ma’am. There is Help text, there is also the call 
center, and the team is also working quite vigorously to keep im- 
proving the user interface and the flow so that you need less help, 
so that it is more and more clear to you at particular points what 
to do. 

Mrs. Maloney. And how are you assessing or distributing the 
feedback that you are getting from users that have used the system 
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and want to tell you how they can make it faster? But I don’t see 
how you could make it any faster than a second, quite frankly. But 
how are you communicating that feedback from users? 

Mr. Park. You can make it faster, by the way, and so people are 
working on that. But there is feedback coming from a variety of dif- 
ferent sources; from users, from folks in the field, from the call cen- 
ter, from testers, and that is actually being fed into a list dynami- 
cally kept on an ongoing basis of things to do in priority order to 
make the website better and better. 

Mrs. Maloney. And I understand that the Hub, the data Hub is 
working well. Is that correct? 

Mr. Park. The Hub has worked extremely well from day one. It 
supports actually not just the Federal Marketplace, but all the 
State Marketplaces, including New York’s great success; and that 
continues to hum along very nicely. 

Mrs. Maloney. Well, thank you. My time has expired and I see 
that sleeping on the floor is paying off in your hard work. Thanks. 

Mr. Park. The team. It is the team. I am just part of it; the team 
is doing the work. 

Mrs. Maloney. Your team. Congratulations. Thank you. 

Mr. Park. The team. 

Chairman ISSA. I thank the gentlelady. 

We now go to the gentleman from Tennessee, Mr. Duncan. 

Mr. Duncan. Thank you very much, Mr. Chairman. While I am 
very skeptical about the Government’s ability to run our health 
care system, what I am more concerned about or object to more is 
all the sweetheart insider deals that Government contractors get 
under these programs and all the people and companies that are 
getting filthy rich off of these programs. 

I have an estimate here on the cost of all the technology, the esti- 
mate of OMB as of August 30th before all the problems surfaced, 
and they said we would spend $516.34 million on the technology. 
Now we have seen estimates way above that. So I have a question 
about that, about how much all this is going to cost us to straight- 
en this out and are these going to be continual costs each year? Are 
we going to have to spend more and more and more on the tech- 
nology? 

But secondly, and a greater concern, I have two stories here, one 
from The Washington Post about 10 days ago and one from CBS 
News a couple days later, and they say the Administration knew 
three and a half years in advance that these problems were going 
to occur. The Washington Post story says in May 2010, two months 
after the Affordable Care Act squeaked through Congress, Presi- 
dent Obama’s top economic aids were getting worried. Larry Sum- 
mers, director of the White House’s National Economic Council, 
and Peter Orzag, head of the Office of Management and Budget, 
had just received a pointed four page memo from a trusted outside 
health advisor that warned that no one in the Administration was 
up to the task of overseeing the construction of an insurance ex- 
change and other intricacies translating the 2,000 page statute into 
reality. 

So what I am asking, and I welcome comments from anybody on 
the panel, how much is all this going to cost to straighten out these 
problems that we now know that we have? And, secondly, how long 
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is it going to take, when the Administration or you all have had 
three and a half years warning that this was going to happen? How 
much longer is it going to take to straighten all this out? 

Chairman ISSA. Mr. Powner, you seem to be giving the best an- 
swers. 

Mr. Powner. I can comment on the cost figure, what we know 
to date. If you look at OMB documentation, there are exhibits 
where you report spending by fiscal year, and through the fiscal 
year 2013, so by the end of September, it was north of $600 million 
spent. Now, I will caveat that by saying that did include IRS costs 
associated with that and some other Government agencies; it 
wasn’t just all CMS and HHS. 

But your question about what it is going to cost to fix, that is 
where we are kind of blind to that, and I think that is a key ques- 
tion, how much that will end up being. 

Mr. Duncan. All right. Does anybody know? If we have spent 
$600 million already, and it is not working, does anybody have any 
idea how much all this is going to cost us in the end? Nobody 
knows? 

Then go to the second question. How long is all this going to 
take? If you have had three and a half years to get ready for this 
and we had all these promises about you can keep your plan, you 
can keep your doctor, your health care cost premiums are going to 
go down by as much as $2500, and we now know that all that was 
false or incorrect, how much longer is it going to take, another 
three and a half years to get this straightened out? 

Mr. VanRoekel. I think it is important to note, sir, that Ameri- 
cans are getting insurance today, that the system is passing 
through and people are registering. The focus today, as I said in 
my opening statement, is about continuous improvement and mak- 
ing sure that we make that even better and stronger, and that 
more and more people 

Mr. Duncan. Millions are getting their policies canceled and 
more are getting sticker shock because of premium increases, too. 
But I am just wondering. What I am asking about is all the tech- 
nology. If we have had three and a half years that the Administra- 
tion has known that this was going to happen, and they couldn’t 
fix it in three and a half years, how much longer is it going to take 
us? 

Chairman ISSA. Would the gentleman yield? 

Mr. Duncan. Yes, sir. 

Chairman ISSA. You know, we have two distinguished individuals 
from the private sector, and I would suspect that at Athena and 
at Microsoft they knew what their burn rate was, they knew what 
their time was. In fact, neither of their companies would exist if 
they had launched their product quite like this. Even Windows 
Vista launched better than the Obama website. 

But the gentleman could include their experience in the private 
sector, if they would like to compare this launch with the launch 
of each of their companies. 

Mr. VanRoekel. I think it is important to note on this the way 
that Federal budgeting and Federal IT is managed and empowered, 
and I think FITAR actually emphasizes this, as well as many of 
the memos and things that I have put out, is empowering agencies 
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to do their mission work, to execute against the budget. We formu- 
late the budget within the Office of Management and Budget, and 
then the Congress and the appropriators actually grant that budget 
to the agencies to then execute; and the tools that we build to 
track, spend, to make sure that diligence is happening on that are 
all about empowering the agency to make those smart decisions 
about what they do. So in the private sector it is not directly par- 
allel because you are not, from our position, on the ground actually 
running these programs day-to-day. 

Chairman ISSA. You are begging an angel capitalist to give you 
one more chunk of money that he may or may not give you. 

With that, we go to the gentlelady from the District of Columbia 
for her five minutes. 

Ms. Norton. Thank you, Mr. Chairman. And although you have 
called witnesses who are being asked to fix a plane while it is in 
the air, I do believe oversight is appropriate in light of the round 
of surprises we have had. 

Let me try to clear something up, Mr. Chairman. Mr. Chao got 
a round of questions about the preflight checklist, and I do have 
a document that said testing successfully, yes. I don’t know if that 
means conducted a test or what, because if you look more deeply 
into the document, and you didn’t have this before you, where you 
have the CGI checklist, that defect report, it is entirely consistent, 
Mr. Chao, with what you have said because this defect report says 
there were 22 defects. 

Chairman Issa. Would the gentlelady make that document avail- 
able? 

Ms. Norton. I would be glad to make this available to you and 
to the press. 

I am also troubled by how the committee often pulls the White 
House into these matters without any evidence. The White House, 
in this case, the rollout is accused of not knowing enough and now 
they have been accused of directing matters with respect to the 
Anonymous Shopper function. Even the chairman has said that 
publicly on television. 

So I would like to ask Mr. Chao about that issue. And the ques- 
tion really has to do with whether you were forced to register and 
then shop, whether that change was made from shop, then register 
to register, then shop; whether that change was made because of 
the involvement of the White House in any way. 

Mr. Chao. Absolutely not. It was a decision made on the results 
of testing. It would be pretty egregious, and I understand that a 
lot of folks are wondering why the website is functioning the way 
it is, but to consciously know that it failed testing and to then put 
it into production for people to use is not what we do. We use the 
best available information, and if the test results show that it is 
not working, we don’t put it into production. 

Chairman ISSA. Would the gentlelady yield? 

Ms. Norton. I certainly will, Mr. Chairman, if you will make 
sure I get my time 

Chairman Issa. Of course. 

Would you stop the clock? 

You know, the gentlelady’s information, I have been told, the one 
that you are referring to, is in fact a roll up to the decision that 
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it had passed. In other words, your document is not inconsistent 
with it. I think Mr. VanRoekel made it clear that they are still fix- 
ing XP, after they no longer support it. So I think the conclusion 
of the document is clear. You are asking Mr. Chao. He is still say- 
ing that this thing failed the test, when it in fact documents show 
it passed the test. Was it perfect? No. But if you could only get six 
people registered on day one and only 240 registered on day two, 
some might say that the website was not passing the test in those 
first two days either. So hopefully that document, you can make it 
available to all of us, but I have been told that that is simply part 
of the supporting documents for the conclusion that CMS has in 
their own documents, which is that that portion which was ex- 
cluded, and we have been told in testimony that, in fact, they were 
told by people at CMS to turn it off and that those people were 
being instructed by people at the White House. 

Ms. Norton. Let me clear that up, Mr. President. 

Chairman Issa. Okay. 

Ms. Norton. I mean Mr. Chairman. 

Chairman ISSA. I just want you to understand that contractors 
told us 

Ms. Norton. Well, Mr. Chairman, let’s look at the document. 
Let’s have people look at the fine print and decide when these 22 
defects were noted, because I got it in black and white here. 

Now, you say the White House did not say to turn off the Anony- 
mous Shopper, Mr. Chao, was that your testimony? 

Mr. Chao. Yes. 

Ms. Norton. Because the allegation of the chairman was that 
the White House ordered it because they wanted to avoid sticker 
shock. I remember seeing that on, I think, television. Now, just let 
me say something about sticker shock. I had a staff member go on 
just to test the DC Health Link, which is where we all will have 
to go, and she found that the same — there are 267 different poli- 
cies, insurers on DC Health Link, and she found that the same 
Blue Cross Blue Shield she is now getting from the Federal em- 
ployment program she can get for between $160 and $220 less. So 
if there is sticker shock, at least some people are finding sticker 
shock works the other way. 

But I want to drill down on this decision from the White House. 
Was there White House directive that because — the decision came 
not because — I want to make sure your testimony remains, because 
there has been some difference the chairman cited — that there was 
no White House directive, but the reason for pulling the Anony- 
mous Shopper was because the function failed testing, does that 
continue to be your testimony? 

Mr. Chao. Correct. If we would have put it into production, even 
though it is anonymous shopping nor browsing, it requires some at- 
tributes about your preferences, your demographics to approximate 
potentially what premium tax credit ranges you would qualify for 
so that you can then move into shopping or plan compare. It didn’t 
work in either calculating the approximate premium tax credit, nor 
did it work in plan compare, so if we allowed people to go through 
that, they would have gotten erroneous information and that would 
have been much worse than not having it at all. 
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Ms. Norton. I have already pointed to a document. By the way, 
this document is from September. 

Now, did you get 

Chairman Issa. The gentlelady’s time has expired. Would you 
briefly finish? 

Ms. Norton. Did you get any direction from the White House to 
disable or to delay the shopper function and were there any polit- 
ical considerations that went into your decision to do so? 

Mr. Chao. None whatsoever. I look at the facts of whether a sys- 
tem is going to be ready. And, of course, not everything is always 
100 percent perfect, and there are certain tolerances, but in this 
case it failed so miserably that we could not consciously let people 
use it. 

Ms. Norton. Thank you, Mr. Chairman. 

Chairman ISSA. I thank the gentleman. 

We now go to the gentleman from North Carolina, Mr. McHenry. 
Could you yield for just 10 seconds? 

Mr. McHenry. Happy to. 

Chairman ISSA. Thank you. 

Mr. Chao, if it couldn’t calculate the prices properly, is it your 
testimony that when people went through the back door, those six 
that got through on the day one, that it did calculate what their 
plan and let them shop through another part, a completely dif- 
ferent portal? 

Mr. Chao. If you don’t go through what was 

Chairman Issa. No, no, no. I have taken six seconds from the 
man and I don’t want to go passed a few seconds. 

Mr. Chao. If you fill out an online application and you put your 
information in, you get an eligibility determination, you ask for fi- 
nancial assistance 

Chairman ISSA. Yes, you go through everything. But you are say- 
ing you didn’t get the right price through the same software that 
would determine the right or wrong price 

Mr. Chao. No. Anonymous shopping was using different soft- 
ware. 

Chairman Issa. Oh, yeah. Okay. That remains to be seen. 

Mr. McHenry, thank you. 

Mr. McHenry. Mr. Chao, all my constituents care about and 
want to know is when they log on, is their data, all their personal 
identifiable information, is that as secure as if they do online bank- 
ing. 

Mr. Chao. It was designed, implemented 

Mr. McHenry. I mean, that is a yes or no question. 

Mr. Chao. It was designed, implemented, and tested to be se- 
cure. 

Mr. McHenry. So it was fully tested in best practices under the 
Federal Government standard for IT proposals. 

Mr. Chao. Correct. 

Mr. McHenry. It was? 

Mr. Chao. It was security assessment testing conducted by 
MITRE and another company. 

Mr. McHenry. Okay. So it is fully tested as the other IT projects 
you have overseen into that same standard. 
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Mr. Chao. I am trying to understand what you mean by fully 
tested. It was tested 

Mr. McHenry. Fully tested? Holy cow. This is like a new low. 
Okay, then let me use the 

Mr. Chao. There are a lot of 

Mr. McHenry. Best practices are a complete integrated testing, 
is that correct? 

Mr. Chao. It is tested and prescribed under the FISMA frame- 
work and NIST controls that are specified as a standard. 

Mr. McHenry. Okay. So why did your boss resign? 

Mr. Chao. He didn’t resign. 

Mr. McHenry. Okay. So due to security readiness issues 

Mr. Chao. I think he decided to make a career change, which I 
can’t speak to. 

Mr. McHenry. I think it was a fantastic time to hightail it out 
after this great rollout. So let me ask another question. So Marilyn 
Tavenner signed the authority to operate memorandum. Tradition- 
ally, would your office sign a memorandum or have you signed pre- 
vious memorandums on authority to operate? 

Mr. Chao. Myself, I have not. 

Mr. McHenry. Has your boss, or previous boss? 

Mr. Chao. Not that I know of. But I do not manage the ATO 
sign-off process, that is done between the chief information officer 
and the chief information security officer. 

Mr. McHenry. Okay. And they would traditionally do it, not the 
CMS administrator. 

Mr. Chao. I think you would have to ask them. 

Mr. McHenry. Okay. Fantastic. We plan to do that. 

Let me ask you, Mr. Park, you said on USA Today, on October 
6, “These bugs were functions of volume. Take away the volume 
and it works,” referring to Healthcare.gov. It was in the fourth 
paragraph. Do you still stand by that statement? 

Mr. Park. Thank you for the question. What I was specifically 
referring to 

Mr. McHenry. No, no. Do you still stand by 

Mr. Chairman, I ask unanimous consent to submit this for the 
record. 

Have you seen this USA Today 

Chairman Issa. Without objection, so ordered. 

Chairman Issa. And the question is on the statement, not on 
what you would want someone else to believe today. 

Mr. McHenry. These bugs were function of volume. Take away 
the volume and it works. Do you still stand by that? 

Mr. Park. So I stand by the fact that the bugs that the reporter 
was referring to, which were issues users were experiencing in ac- 
count creation up front, were in fact functions of volume. What I 
will say now, based on additional understanding, is that in addition 
to volume, which was a challenge, the account creation process 
was, later on, also affected by particular functionality bugs, which 
have been fixed, most of which have been fixed, along with volume 
capacity expansion and other system configurations 

Mr. McHenry. So, Mr. Park, let me tell you a story. I have a 
woman named Sue who logged on. She filled out everything else. 
She did not fill out her middle initial. She got a processing error. 
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She went back to try to fix it, put in the middle initial. She had 
to wait 48 hours to get another update. Turns out that her income 
was not verifiable because she put in a monthly income. She calls 
a navigator, the navigator says, yeah, we have some problems with 
that; maybe you can do it on an annualized basis. Well, unfortu- 
nately, she couldn’t get back into the system, so then has to call 
back for another navigator and the navigator says, gosh, we have 
a little issue here, so let me try an annualized income and put it 
in on the back end that navigators can do. She is still waiting. She 
started on October 1st. She is still waiting to be successfully logged 
in to this website that you said these bugs were functions of vol- 
ume; take away the volume and it works. 

This is such a deeply flawed data rollout, and my constituents 
are most concerned about trying to sign up, much less when they 
do sign up that they don’t have their data stolen. 

Mr. Chairman, I yield back. 

Chairman ISSA. I thank the gentleman. 

Mr. Park, you can answer, if you see a question there. 

Mr. Park. That would be great. Thank you. So I was actually 
talking specifically about issues with account creation. There are 
issues downstream as well, and, again, each time I speak with you, 
each time I speak, I will relay the best understanding I have and 
try to be as precise as I can be. 

Chairman Issa. I thank you. 

We now go to the gentleman from Virginia, Mr. Connolly. 

Mr. Connolly. Thank you, Mr. Chairman, and let me begin on 
a bipartisan note. Mr. Chairman, you and I helped write, joining 
together, the FITAR Act requiring reform of Federal IT acquisition. 
Mr. VanRoekel, you seem to have been equivocal, maybe, at our 
last meeting in January when you testified here, but I want to read 
to you a statement by the President of the United States. He said, 
just recently, one of the lessons learned from this whole process on 
the website is that probably the biggest gap between the private 
sector and the Federal Government is when it comes to IT; how we 
procure it, how we purchase it. This has been true on a whole 
range of projects. 

A reasonable inference from that statement could be drawn that 
perhaps we do need some more legislation, some new legislation to 
free up some of the moribund rules 

Chairman ISSA. Would the gentleman yield? 

Mr. Connolly. If we could freeze my time. 

Chairman Issa. Of course. I couldn’t agree with you more that, 
in fact, one of the lessons that I hope all of us take out of this hear- 
ing today is that we have two people from the private sector who 
know that they would never do a process like this one was done, 
and yours and my legislation is really about trying to create at 
least a modicum of similarity in IT procurement in the Federal 
Government the way it is done in the private sector. And I thank 
the gentleman for his comments. 

Mr. Connolly. I thank the chairman. 

So I commend to Mr. VanRoekel the statement of the boss. 

Mr. Chao 

Chairman Issa. So now I am the boss? 

Mr. Connolly. No. Well, you are too. 
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Chairman IssA. Oh, you mean the President. 

Mr. Connolly. The other boss. 

Chairman ISSA. Ah, yes. His boss. 

Mr. Connolly. The big boss. 

Mr. Chao, during your interview with committee staff on Novem- 
ber 1, you were presented with a document you had not seen before 
and it was titled Authority to Operate, signed by your boss on Sep- 
tember 3rd, 2013, is that correct? 

Mr. Chao. Correct. 

Mr. Connolly. The Republican staffers told you during that 
interview that this document indicated there were two open high- 
risk findings in the Federally-facilitated Marketplace launched Oc- 
tober 1, is that correct? 

Mr. Chao. Correct. 

Mr. Connolly. This surprised you at the time. 

Mr. Chao. Can I just qualify that a bit? It was dated September 
3rd and it was referring to two parts of the system that were al- 
ready — 

Mr. Connolly. You are jumping ahead of me. We are going to 
get there. 

So when you were asked questions about that document, you told 
the staffers you needed to check with officials at CMS who oversee 
security testing to understand the context, is that correct? 

Mr. Chao. Correct. 

Mr. Connolly. The staffers continued to ask you questions, 
nonetheless, and then they, or somebody, leaked parts of your tran- 
script to CBS Evening News, is that correct? 

Mr. Chao. It seems that way. 

Mr. Connolly. Since that interview, have you had a chance to 
follow up on your suggestion to check with CMS officials on the 
context? 

Mr. Chao. I have had some discussions about the nature of the 
high findings that were in the document. 

Mr. Connolly. Right. And this document, it turns out, discusses 
only the risks associated with two modules, one for dental plans 
and one for the qualified health plans, is that correct? 

Mr. Chao. Yes. 

Mr. Connolly. And neither of those modules is active right now, 
is that correct? 

Mr. Chao. That is correct. 

Mr. Connolly. So the September 3rd document did in fact not 
apply to the entire Federally-facilitated Marketplace, despite the 
assertions of the leak to CBS notwithstanding, is that correct? 

Mr. Chao. That is correct. 

Mr. Connolly. And these modules allow insurance companies to 
submit their dental and health plan information to the Market- 
place, is that correct? 

Mr. Chao. Correct. 

Mr. Connolly. That means those modules do not contain or 
transmit any personally identified information on individual con- 
sumers, is that correct? 

Mr. Chao. Correct. 

Mr. Connolly. So, to be clear, these modules don’t transmit any 
specific user information, is that correct? 
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Mr. Chao. Correct. 

Mr. Connolly. So when CBS Evening News ran its report based 
on a leak, presumably from the Majority staff, but we don’t know, 
of a partial transcript, excerpts from a partial transcript, they said 
that security issues raised in the document “could lead to identity 
theft among buying insurance,” that cannot be true based on what 
we just established in our back and forth, is that correct? 

Mr. Chao. That is correct. I think there was some rearrangement 
of the words that I used during the testimony and how it was por- 
trayed. 

Mr. Connolly. So to just summarize, correct me if I am wrong, 
the document leaked to CBS Evening News did in fact not relate 
to parts of the website that were active on October 1, they did not 
relate to any part of the system that handles personal consumer in- 
formation, and there, in fact, was no possibility of identity theft, 
despite the leak. 

Mr. Chao. Correct. 

Mr. Connolly. Thank you, Mr. Chao. 

I yield back. 

Chairman Issa. Would the gentleman yield your 26 seconds? 

Mr. Connolly. Yes, Mr. Chairman. 

Chairman ISSA. Have you read the November 6th letter from the 
ranking member to me? 

Mr. Connolly. Yes. In fact, I think I cosigned that letter. 

Chairman Issa. Oh, that is good. So the gentleman is well aware 
that even today there are significant security leaks that the rank- 
ing member was concerned, if discovered, would allow hackers to 
take people’s private information, that there is a security risk, and 
that was cautioned by you not to let that out. Susannah will give 
you the answer, if you will just let her. Okay, I hear none. 

Mr. Connolly. I am sorry, I am not following the quote. 

Chairman ISSA. Well, I was trying to let the staff speak to you, 
but the bottom line is that there are security risks today, according 
to you and the ranking member. This website still has 
vulnerabilities, if discovered, that would lead to personal informa- 
tion coming out, is that correct, in your letter? 

Mr. Connolly. Mr. Chairman, that may be, but I am talking 
about a deliberate leak that, frankly, distorted reality based on two 
modules that were inactive and using that misinformation to sug- 
gest that it applied to, in fact, the active website. 

Chairman Issa. But end-to-end security problems in your letter 
do apply to the active website, right? 

Mr. Connolly. Well, they may, Mr. Chairman, but right now my 
questioning to Mr. Chao had to do 

Chairman Issa. No, I understand you are rehabilitating Mr. 
Chao. 

Mr. Connolly. No, I am not. Mr. Chairman 

Chairman Issa. But the question is 

Mr. Connolly. Mr. Chairman, Mr. Chairman, let’s be fair. I am 
trying to get the facts on the record and correct a deliberate smear 
against Mr. Chao. Not to rehabilitate him, but to, in fact, get the 
truth out because someone deliberately leaked something and dis- 
torted it, Mr. Chairman, in the name of this committee. 

Chairman Issa. No, I appreciate your concern. My concern is 
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Mr. Connolly. I am glad you do, Mr. Chairman. 

Chairman Issa. — Mr. Chao had the MITRE report and it is that 
report that, even redacted, you didn’t want released because it 
shows a roadmap to the vulnerabilities of the site as it is today. 
That is your letter. 

Mr. Connolly. Mr. Chairman, I began my questioning by ac- 
knowledging our joint bipartisan effort to in fact try to legislate re- 
forms in IT acquisition. That is an acknowledgment on my part, 
and yours, that, in fact, the Federal IT acquisition process is bro- 
ken, whether it is this example or some other. So I have no desire, 
no motivation to hide anything. But I am concerned at a pattern 
of calling people to give us testimony and cherry-picking their testi- 
mony to make a political point that, frankly, does not serve this 
committee well in terms of its oversight role and does damage to 
good public servants’ reputation. 

Chairman Issa. I appreciate the gentleman’s bipartisan efforts. 

Mr. Connolly. I thank the chair. 

Chairman Issa. Mr. Jordan is recognized. 

Mr. Jordan. I thank the chairman. 

Mr. Chao, a week ago the President was interviewed last Thurs- 
day and was asked about Secretary Sebelius, and the President de- 
fended his health secretary — I am quoting from the Chuck Todd 
interview — defended his health secretary, argued that the website 
bugs aren’t necessarily her fault. “Kathleen Sebelius doesn’t write 
code. She wasn’t our IT person.” 

Who is the IT person? Who is the person in charge? Who is the 
person responsible? Who is the one who signed off on this before 
it went public? 

Mr. Chao. The person that is responsible is our administrator, 
Marilyn Tavenner. 

Mr. Jordan. And did she base her decisions on the memo you 
sent her on the 27th, is that right? Isn’t that the Authority to Op- 
erate memo? 

Mr. Chao. I think that is 

Mr. Jordan. I mean, the President talked about IT person. Ms. 
Tavenner is not an IT person. Who is the IT person? Is that Mr. 
VanRoekel? 

Mr. Chao. I don’t know. 

Mr. Jordan. Is that Mr. Park? Is it Mr. Chao? Which of you is 
that person? 

Mr. Chao. I don’t know, I didn’t speak to the President. 

Mr. Jordan. No, but he refers to a person. Who would it be? Who 
is the IT person in charge? 

Mr. Chao. I don’t know what the President was referring to. 

Mr. Jordan. Let me start with slide C3, if I could. The final re- 
port came out October 13th, after October 1st. I just want to read 
the first: MITRE was unable to adequately test the confidentiality 
and integrity of the exchange system in full. Lower down: Complete 
end-to-end testing of the application never occurred. 

Doesn’t that raise concerns? Did you know about this before Oc- 
tober 1st, Mr. Chao? 

Mr. Chao. I think that is taken out of context. 

Mr. Jordan. It is pretty plain language. Didn’t test it; no end- 
to-end testing; done before October 1st. And yet the IT person in 
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charge, whoever the President is referring to, somebody said it is 
okay to start this thing. 

Mr. Chao. I say it is taken out of context because there are still 
quite a few 

Mr. Jordan. Mr. VanRoekel, did you know the results of the 
MITRE testing before October 1st? 

Mr. VanRoekel. I haven’t seen this document, so I would love 
to 

Mr. Jordan. Well, you have the fancy title; you are the Chief In- 
formation Officer of the United States of America. That is a pretty 
big title. And you didn’t know about this before the biggest domes- 
tic policy program website in the history of this Country ever is 
launched, and you didn’t know about this? 

Mr. VanRoekel. Sir, I haven’t seen this document. 

Mr. Jordan. Well, that scares us. 

Mr. Park, you are supposed to be the guy who is going to solve 
everything; you are Clark Kent coming out of the phone booth here. 
Did you know about this before October 1st? 

Mr. Park. I did not. 

Mr. Jordan. And why is it 

Mr. Chao. Would you like me to explain why 

Mr. Jordan. I would like someone to tell me why you didn’t 
know that end-to-end testing wasn’t done 

Mr. Chao. It is not about not knowing; it is that, for example, 
the first payment to the insurance companies, the issuers, are not 
going to occur until sometime in the first part of January. We are 
still building the system. 

Mr. Jordan. We just had this. The system all works together. It 
wasn’t tested all at once. 

Mr. Chao. We are still building parts of the system to calculate 
payment, to collect the enrollment data from all the marketplaces 
and to make that payment 

Mr. Jordan. So there is more system to be built. So we can ex- 
pect more problems in the future to add to the problems we have 
already seen. 

Mr. Chao. Security testing is ongoing. 

Mr. Jordan. Let me ask you this. This, to me, seems to be the 
billion dollar question. Why didn’t you delay this? You guys knew 
there were going to be problems. You hadn’t done end-to-end test- 
ing. Some of your testing we hoped that the tests would work when 
we presented it to the White House. Why didn’t you delay this? Mr. 
Chao, why wasn’t it delayed? 

Mr. Chao. That is not my decision to make. 

Mr. Jordan. This, to me, is the thing. The chief technology peo- 
ple don’t know, but October 1st is October 1st, a date that is in the 
law? It is not. It is just a date — let me cite you this here. The 
Washington Post article — and I know I only have a minute, but 
The Washington Post article I think is important. David Cutler 
sent a memo to the White House, says, you know what, don’t keep 
the political people in the White House, Nancy Ann DeParle, 
Jeanne Lambrew in charge, bring in outside people. Larry Sum- 
mers agreed with that assessment; Peter Orzag agreed with that 
assessment, but the President says no, we are going to keep Nancy- 
Ann DeParle in charge of this, kept the political people in charge. 
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In your testimony to the committee, Mr. Chao, you said this, 
when asked about October 1st, my marching orders were get the 
system up by October 1st, right? 

Mr. Chao. Correct. 

Mr. Jordan. Why? If you have all these problems, why not wait? 

Mr. Chao. I didn’t ask why. I said that was my 

Mr. Jordan. And what I am suggesting is the folks at the White 
House knew this thing had problems, evidenced by the testing that 
wasn’t done end-to-end. They, for political reasons, had picked this 
date, so for political reasons they had to adhere to this date, and 
the end is, the end result is Americans’ personal information is put 
at risk. 

Mr. Chao. I tried to correct your perception of what this excerpt 
was from. It is about a long chain of systems that need to be built, 
and this is a point in time. 

Mr. Jordan. Mr. Chairman, I have two seconds. Let me just fin- 
ish with this. We have asked, you and I have asked Ms. DeParle, 
Ms. Lambrew to come in front of this committee next week, and 
the letter we got back yesterday was they are not going to come; 
and they are the people we need because they are the political peo- 
ple in charge. They are the ones who determined October 1st was 
the date they needed to move forward on, and they are the ones 
who I think ultimately are responsible for putting at risk Ameri- 
cans’ personal information. 

With that, I yield back. 

Chairman ISSA. Okay. 

Mr. Powner, there were all these questions and you seemed to 
have an answer you wanted to give on this end-to-end testing be- 
fore it was done. Do you want to weigh in at this point? 

Mr. Powner. Well, I would just reiterate the point that the secu- 
rity testing was done early, on an incomplete system, and the fun- 
damental question is what is being done now and how adequate is 
that to date. 

Chairman ISSA. Thank you. 

Mr. Davis. 

Mr. Davis. Thank you. Thank you very much, Mr. Chairman. 
Mr. Chairman, there has been a lot of information over the past 
several weeks regarding the security of Healthcare.gov and wheth- 
er consumers who use this system are at risk. I would like to hear 
from the witnesses about this matter and separate fact from fiction. 

Mr. Chao, the Federal Information Security Management Act, 
known as FISMA, requires agencies to protect information systems. 
FISMA specifically requires an authorizing official to sign off before 
an agency begins operating a system. In the case of Healthcare.gov, 
we have a memo that was signed by Administrator Tavenner on 
September 27, 2013, entitled “Federally-Facilitated Marketplace.” 
This memo says that the security contractor “has not been able to 
test all of the security controls in one complete version of the sys- 
tem.” It also says this resulted in a “level of uncertainty that can 
be deemed as a high risk.” 

Mr. Chao, can you explain how CMS tested various components 
of the system for security risk? 

Mr. Chao. In general, in most large IT projects that require sev- 
eral what we call environments that are used to move from a devel- 
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oper’s machine in writing code and to test that locally, and then to 
put it into a larger environment to test with other code, and you 
go through this step-wise process of constructing the system. I 
think what the statement reflects is that in any situation similar 
to the Marketplace systems, security people have to test when they 
can and when they have a window. As I mentioned, there is a com- 
pressed time line, and that compressed time line affords some abil- 
ity for security testing to occur as the software is being developed 
through its life cycle. 

I think what the memo was just trying to say, and it was erring 
on the side of caution, that as software is continuously being devel- 
oped, it was tested in three cycles. So by the end of three cycles 
it had fully tested the necessary functions to go live on October 1st. 
There are, as I mentioned earlier, other system functions that are 
yet to be built and will continue to have security testing conducted. 

So security testing is a point in time. Risk acceptance of that se- 
curity testing results is a point in time. And then in that memo you 
will also see that we have applied various mitigation steps to try 
to offset the potential risk that was identified. 

Mr. Davis. Do you know of any other IT systems, in your experi- 
ence, that were authorized without completing full system security 
testing? 

Mr. Chao. I think that there is a slight art in the wording of 
that. I think every system the Federal Government puts into live 
production needs to have sufficient security testing, per FISMA and 
OMB and NIST requirements. Whether we tested in three cycles, 
whether we tested annually or every three years, testing is an on- 
going and ever-present, kind of part of the process. When we are 
testing the controls for a portion of a system that is ready for a 
particular delivery date, we fully test those. For a portion of the 
controls for a part of the system, as I mentioned earlier, in which 
we do not have to make payment on October 1st, that is then test- 
ed at a later date, when that function is ready and needed in order 
to go into operation. So it is an iterative ongoing process. 

Mr. Davis. Has a security team been established? 

Mr. Chao. Yes. 

Mr. Davis. Has CMS been performing weekly testing? 

Mr. Chao. Yes. 

Mr. Davis. I have no further questions. Thank you, Mr. Chair- 
man. I yield back. 

Chairman Issa. I thank the gentleman for yielding back. 

We now go to the gentleman from Utah, Mr. Chaffetz. 

Mr. Chaffetz. I thank the chairman. 

I thank you all for being here. 

Mr. Baitman, I would like to start with you. Since the end of Au- 
gust, how many times have you personally met with Secretary 
Sebelius? 

Mr. Baitman. I am not sure, probably once or twice. 

Mr. Chaffetz. And when was the last time you met with the 
secretary? 

Mr. Baitman. I believe that it was during the shutdown. The sec- 
retary had regular meetings with senior leadership. 

Mr. Chaffetz. So you met one time in October? 

Mr. Baitman. I believe so. 
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Mr. Chaffetz. So you met one time. You are the chief informa- 
tion officer. You met one time in October with the secretary. My 
understanding is you engaged a hacker to look at Healthcare.gov, 
correct? 

Mr. Baitman. CMS asked us to help them with various things. 

Mr. Chaffetz. But you engaged a hacker to look at the system. 

Mr. Baitman. We engaged someone who is called an ethical 
hacker who is on my staff. 

Mr. Chaffetz. An ethical hacker. When did they start their 
hacking? 

Mr. Baitman. It was during the shutdown. 

Mr. Chaffetz. And how long did it take him to complete his 
hacking exercise? 

Mr. Baitman. I think it is an ongoing activity. But he is actually 
based in Atlanta. 

Mr. Chaffetz. And then he gave you a report. How many serious 
problems did he find? 

Mr. Baitman. I don’t know if I would call them serious. I think 
that there were something like 7 to 10 items on that report. 

Mr. Chaffetz. So you had 7 to 10 items of hacking, some of 
which you don’t believe are serious, but some are obviously serious. 
What percentage of those have been fully rectified? 

Mr. Baitman. I turned those over to CMS for their review. Some 
actually weren’t systems issues, they included things like physical 
security as well. 

Mr. Chaffetz. So you have no follow-up? You have no idea what 
percentage of those hacking incidents were rectified? 

Mr. Baitman. I believe CMS got back to my staff last week and 
said the majority of those had been remediated. 

Mr. Chaffetz. You don’t know what percentage. It is not 100 
percent. 

Mr. Baitman. I don’t believe it is 100 yet, no. 

Mr. Chaffetz. So you shared that with CMS. Did you share that 
with Secretary Sebelius? 

Mr. Baitman. I have not. 

Mr. Chaffetz. You are the chief information officer for the 
Health and Human Services. 

Mr. Baitman. These are fairly technical items. The appropriate 
place to share them is with the system owner. 

Mr. Chaffetz. But it is not safe and secure, and I guess that is 
the fundamental concern, is even after the October launch, you are 
the chief information officer, you get a hacker who in a couple days 
finds probably 10 or so problems and challenges. It is that easy to 
get in and hack the information. That is the concern. 

Mr. Powner, is this ready? Following up on Mr. McHenry’s ques- 
tion, is the site, in your opinion, currently as safe and secure as 
an online banking site? 

Mr. Powner. I would have to look and assess the security. And 
all that stuff that MITRE did and the authority to operate is pre- 
liminary because it was on — I mean, MITRE said that they didn’t 
test the interfaces. The interface testing needed to occur. So all 
that stuff that is preliminary raised issues, but, again, we 

Mr. Chaffetz. Would you put your information in there? 
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Mr. Powner. I would have to see what the security testing and 
assessment has been since then before I was comfortable. I haven’t 
seen it yet, so we are going to look at it. 

Mr. Chaffetz. Well, the answer is not yet yes. 

Mr. Chao, would you put all your personal information about you 
and your loved ones in it? 

Mr. Chao. Yes. In fact, I have recommended my sister, who is 
unemployed right now, to actually apply. 

Mr. Chaffetz. Did she successfully register? 

Mr. Chao. I haven’t talked to her lately; she has been out of the 
Country. 

Mr. Chaffetz. Interesting. And you have this report, then, from 
Mr. Baitman, about the hacker’s report? 

Mr. Chao. I do not personally, but as I mentioned earlier, there 
are security teams in place, including permanent security staff 
under the chief information security officer that coordinates with 
franks. 

Mr. Chaffetz. Mr. Chairman, this is something we obviously 
have to follow up on. 

Mr. Park, you are a very bright and talented person. The Federal 
Government is lucky to have somebody of your caliber engaged in 
this process, and it actually gives me comfort that you are looking 
at this and spending some time in it, but I have a fundamental 
question that I want to ask you. Have you ever shopped on Ama- 
zon.com? 

Mr. Park. Yes, sir. 

Mr. Chaffetz. Have you ever showed on eBay.com? 

Mr. Park. Actually, no. 

Mr. Chaffetz. We are going to have work with you on that one. 

Chairman ISSA. As a Californian, I am personally offended. 

Mr. Park. I would like to. 

Mr. Chaffetz. Let’s go back to the Amazon experience. When 
you put something in your shopping cart, is that considered a sale? 

Mr. Park. No. 

Mr. Chaffetz. Thank you. 

I yield back. 

Chairman Issa. Would the gentleman yield? 

Mr. Chaffetz. Sure. 

Chairman Issa. Mr. Chao, you have been fairly defensive about 
things being out of context, so I am going to ask unanimous con- 
sent that the CMS document of September 3rd, 2013, the memo- 
randum, be placed in the record in its entirety. But before I do 
so, — well, without objection, so ordered. 

Chairman Issa. But I want to make something clear. We had 
previously redacted information. Is there anything in that memo 
that you believe needs to be redacted? Because otherwise we will 
put it in in its entirety so there’s no question about that. 

Mr. Chao. I would have to review it. 

Chairman ISSA. Okay, it is in the record now. By close of this 
hearing, if there is something that needs to be redacted, I need to 
know, because I will consider redacting it. 

Mr. Cummings. Mr. Chairman? 

Chairman Issa. Yes. 
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Mr. Cummings. I just wanted to make sure there was no sen- 
sitive information in there. 

Chairman Issa. Well, that is the problem. 

Mr. Cummings. I am just trying to obey the law, Mr. Chairman. 

Chairman Issa. This thing is already in the record. If we choose 
to redact something — the question is that there are numerous 
things that give us sightings of lines in September 3rd that clearly 
this thing wasn’t ready for security on September 3rd. And when 
our people questioned you about September 27th and there was no 
end-to-end and security concerns, you want to say you were taken 
out of context, but both September 3rd and September 27th, what 
we find is that there was no end-to-end testing, and any point of 
vulnerability is a point that could access people’s private informa- 
tion. 

Isn’t that true, Mr. Powner? So the absence of end-to-end testing 
means that anything that can reach into the database, in fact, 
could be a significant security risk to people’s personal information, 
and has nothing to do with whether or not a module is about shop- 
ping, isn’t that true? 

Mr. Powner. That is correct. 

Chairman ISSA. Okay. 

Yield back and at this point I recognize the gentleman from Ten- 
nessee, Mr. Cooper, next. 

Mr. Cooper. Thank you, Mr. Chairman. I am worried that the 
net effect of this hearing might be to exaggerate the security dif- 
ficulties of the website. I serve on the Armed Services Committee, 
and our own Pentagon is attacked many thousands of times a day, 
sometimes by foreign powers. So the entire Internet could and 
probably should be more secure. So we have to acknowledge some 
system problems for the whole Internet, and then there are other 
issues we can deal with. 

Another concern I have is the witnesses are being badgered, and 
I would like to offer witnesses, perhaps Mr. Baitman, perhaps Mr. 
Park, Mr. Chao, and others an opportunity to respond, because I 
believe in fairness, and the American people do not want to see a 
kangaroo court here. And the way this hearing has been conducted 
does not encourage good private sector people to want to join the 
Federal Government. 

I personally had the privilege of hearing Mr. Park speak in 
Nashville, Tennessee a couple years ago. He spoke before a hard- 
core private sector, pro-capitalist, business audience, and they told 
me they had never heard a speaker who understood business bet- 
ter, who got it; and it was a real tribute to me that someone of your 
caliber was willing to work for the Federal Government, because 
that instilled faith in the process, because we are the best Nation 
on Earth. We have to act like it. We do face problems sometimes, 
but the American spirit is the can-do, we can fix it attitude, not 
the blame game, not the bickering game. 

So if there are witnesses who would like a chance to say a few 
words in public, because you have been treated unfairly, in my 
opinion, and I would like to have this be an equal playing field. 

Chairman ISSA. Would the gentleman yield? Have I cut off any- 
one’s answer here today? 

Mr. Cooper. Will I be able to keep my time? 
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Chairman ISSA. Of course. 

Mr. Cooper. You cut off the ranking member of this committee 
at the beginning of this hearing. 

Chairman Issa. I cut him off a minute into question and answer, 
after he had exceeded his five minutes. But no witness here today 
has been cut off. 

Mr. Cooper. But, Mr. Chairman 

Chairman ISSA. Every witness has been allowed to complete their 
entire answer. 

Mr. Cooper. Mr. Chairman, but using 

Chairman ISSA. I just want to understand. Kangaroo courts is 
quite an accusation, and I hope the gentleman from Tennessee, 
when he uses the term kangaroo court in the future, will think bet- 
ter of making an accusation. No witness has been cut off. Every 
witness has been allowed to complete their entire answer in every 
case. We went about six minutes before I asked Mr. Baitman to 
simply conclude. That is the closest thing to anything. So this is 
not a partisan hearing. I will not have it accused of being a par- 
tisan hearing. We have a website that the American people have 
seen doesn’t work. We are trying to get to an understanding of why 
it didn’t work so that it doesn’t happen again. And these happen 
to be experts, and for the most part we are relying on them to be 
the people fixing it. 

The gentleman is recognized. 

Mr. Cooper. Thank you, Mr. Chairman. This is a hearing on a 
broken website by a broken committee, and the air is thick with 
innuendo. When the chairman discusses rehabilitating witnesses, 
that implies they need rehabilitating, when in some cases the wit- 
nesses have perhaps already been abused, sometimes by leaks, 
whether deliberate or not. So let’s focus on fixing the problems. 
And I think Mr. Baitman was about to speak. 

Mr. Baitman. Thank you, Mr. Cooper. There is one thing I would 
like to clarify in response to my comments to Mr. Chaffetz. We 
found vulnerabilities with the system, and there will always be 
vulnerabilities. Every system that is out there, systems that are 
live, systems that we trust right now, banks, online shopping sites, 
all have issues because they are continually making changes to 
their code. That introduces vulnerabilities. And it is up to us on a 
continual basis, as Mr. VanRoekel pointed out, all software goes 
through continuous improvement. So what we are doing right now 
is continually improving our software and on an ongoing basis 
identifying vulnerabilities that exist. 

Mr. Cooper. Any other witness? Mr. Chao? 

Mr. Chao. What I would like to say is that if I come across as 
being defensive, I apologize, but I am being defensive not in terms 
of me; I am being defensive in terms of the truth. And I believe 
that that is what this committee is trying to get to. In fact, I think 
that is what you said in the beginning. So when I detect that there 
is distortions or misuse or unrevealed things about that I spent 
nine hours with your staff basically being deposed, I am going to 
be defensive because that is not the truth. That is all I want to 
make clear about my defensiveness. 

Mr. Cooper. Any other witness like to make a point? 
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This committee has many talents and it has broad investigative 
jurisdiction. To my knowledge, and I could be wrong because my 
colleagues have many talents, to my knowledge, none of us could 
do a website on our own. We are not software engineers. You 
could? 

Chairman ISSA. I think, unfortunately, you have several hear, in- 
cluding one who made a living doing it. 

Mr. Cooper. Well, none of us would want to certainly be engaged 
in this task. Are you volunteering to work for 

Chairman ISSA. None of us want to own this particular website. 

Mr. Cooper. Well, yeah. But it is easy to criticize. It is hard to 
perform. And as the gentleman, Mr. VanRoekel, pointed out, even 
Microsoft, with Windows XP, is still revising it 12 years later. Soft- 
ware is an iterative process. The Internet is not perfect, but it is 
still one of the great technological accomplishments of mankind. It 
is transforming the planet, and in a good way overall, but there are 
glitches and we work on those. 

So when we swear witnesses, as we do, when we put them in a 
very uncomfortable position, deliberately, in some cases when we 
subpoena then unilaterally, that creates tension, and it is actually 
going to slow the fix of the website. So I worry about that. 

And the chairman and Mr. Connolly have already collaborated on 
what sounds like an excellent bill to fix overall Federal IT. I was 
very impressed when Mr. VanRoekel pointed out that is an $82 bil- 
lion issue. What we are talking about here today, at least from the 
August cost estimate, is 0.6 percent of that. Why don’t we focus on 
the larger issue and fix it? Because, as I said earlier, it is much 
better to light a candle than to curse the darkness. 

Chairman Issa. If the gentleman would yield, maybe we can 
close on a positive note. Both Mr. Powner, who has constantly 
talked about stress-testing end-to-end, and Mr. VanRoekel, who 
knows very well that Microsoft never put a new operating system 
that wasn’t stress-tested end-to-end; it still had bugs, it still had 
vulnerabilities. And by, the way, whenever you add a new driver, 
a new something else, you create a potential new one that has to 
be tested. But stress-testing end-to-end was something that this 
committee wanted to know at the onset, why it hadn’t been done, 
because it is a best practices, which GAO has very kindly made 
clear. I believe it is already in the record, but if it is not, the nine 
points that GAO had made in their report of best practices that 
were not followed. 

So Mr. Connolly and I, Mr. Cooper, we are trying to get to where 
best practices will always be used. And in this case, not because 
of these individuals, per se, they are here as experts, but this de- 
velopment over three and a half years shortcutted some best prac- 
tices, and it is not the first time and it won’t be the last time, but 
it is one where, as I said in the opening statement, it is so impor- 
tant, when the American people are focused, for us to say you can 
expect better from your Government in the future; and I don’t 
mean on Healthcare.gov, I mean on all of that $82 billion worth of 
IT. 

And I appreciate your comments to that end. 

Mr. Cooper. Mr. Chairman, let’s see about getting your bill to 
the floor. 
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Chairman ISSA. Boy, I tell you, that is something we all would 
like to do, so I am going to talk to leadership 

Mr. Cooper. You are in the majority party. 

Chairman ISSA. You know what? I tell you what. I will get it to 
the floor in the House. If you will help me in the Senate, we will 
get this done. 

Mr. Cooper. I have lots of influence in the Senate. I would be 
happy to help. 

Chairman Issa. Thank you. 

[Laughter.] 

Chairman Issa. With that, we recognize the gentleman from 
Michigan, who knows a great deal about health care websites from 
his State, Mr. Walberg. 

Mr. Walberg. Thank you, Mr. Chairman, and thank you for 
holding this hearing. 

And to the panel as well, thank you for being here. You have 
plenty to do. We wish you didn’t have to be here today, but when 
I receive letters on top of letters and contacts in six town hall meet- 
ings that I held last week, live town hall meetings, like this one 
from Rachel Haynes in Eaton Rapids, Michigan, where she talks 
about the fact of cutting off from her insurance, her husband and 
five children, she says this: I hated the idea of getting on to 
Healthcare.gov website, as I believe insurance is a private matter. 
I did it anyway. The website did not work, so I called a number. 
And she goes on to tell of talking with a person on the phone and 
ultimately being hung up on. 

That is the reason why this hearing is important. Frankly, Mr. 
Chairman, I believe that this whole act that was put into law 
under the cover of darkness with the simple votes from the other 
side of the aisle who now take offense at us having hearings like 
this on problems and doing proper oversight is the reason to have 
this hearing today, because people like Rachel Haynes and her 
family are concerned not only about security, but right now that is 
one of the biggest concerns on a website that doesn’t work for her. 

I want to go back to some of the concerns in the MITRE report 
and I want to ask the first question. Mr. Chao has already, in ear- 
lier statements to questions just before me, indicated, when asked 
why he didn’t push back on opening this thing up on October 1st, 
he didn’t ask why. So I am going to go to Mr. Baitman, because 
I think that is an important question that should have been asked, 
why. Why do we have to open up on October 1st? 

But the question I would ask here, Mr. Baitman, MITRE was re- 
sponsible for conducting the security control assessment for the 
Federal exchange, is that correct? 

Mr. Baitman. That is my understanding. 

Mr. Walberg. According to MITRE, the final security assess- 
ment for the Federal exchange occurred from late August through 
mid-September. Is that your understanding? 

Mr. Baitman. It is. 

Mr. Walberg. Mr. Baitman, to the best of your knowledge, did 
MITRE conduct a complete integrated security test of the Federal 
Marketplace? 

Mr. Baitman. I can’t answer that; I don’t have visibility into it. 
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Mr. Walberg. Well, I would like a document put up that deals 
with this test and the outcome, if I could have this particular docu- 
ment. Okay. If you see there, FFM, the website, the Marketplace, 
complete percentage, 66 percent complete. That is it. Sixty-six per- 
cent complete. This document was obtained by the committee. We 
have in place — let me ask this question, Mr. Baitman. Is it a prob- 
lem that MITRE wasn’t fully able to test one-third of the Ex- 
change? 

Mr. Baitman. I can’t answer that. This project was run and man- 
aged by CMS. They are responsible for the security. 

Mr. Walberg. In the security control assessment dated October 
11th, 2013, and of which a preliminary copy was given to CMS, on 
September 23rd, 2013, MITRE writes that they are unable to ade- 
quately test the confidentiality and integrity of the health insur- 
ance exchange system in full. They go on to say MITRE also writes 
the application at the time of testing was not functionally complete. 

Mr. Powner, what are the dangers of conducting a security as- 
sessment on an incomplete system? 

Mr. Powner. Well, you could have vulnerabilities that go untest- 
ed. Also, too, on this document — see, there are a lot of dates that 
don’t add up. My understanding is that MITRE conducted their se- 
curity assessment in August and September, and it was later Sep- 
tember. So there is data all over the place. The bottom line to your 
point, though, is it wasn’t done on a complete system. 

Mr. Walberg. MITRE has told, Mr. Powner 

Mr. Chao. Excuse me. I just want to point out that that is a 
CGI-provided document, that is not from CMS. 

Mr. Walberg. Yes, I understand that. MITRE has told com- 
mittee staff that to their knowledge, there has not been a com- 
prehensive test of the entire system. One of the dangers posed by 
not conducting a complete, integrated security tests of all the sys- 
tem components, Mr. Powner? 

Mr. Powner. Well, in order to ensure that your data is secure 
and the system is safe to use, you want to test on as complete a 
system as possible. 

Mr. Walberg. Then based on what you know, were Americans’ 
sensitive personal information at risk when Healthcare.gov opened 
on October 1st, 2013? 

Mr. Powner. I don’t know what happened from mid-September 
on. That is the only caveat I would like to say, because there was 
testing done through mid-September, and I am blind to what hap- 
pened during that period of time. 

Chairman ISSA. The gentleman’s time is expired, if you could 
wrap up very quickly. 

Mr. Walberg. Last question. Can you ensure the American peo- 
ple that the website will work on November 30th? 

Chairman Issa. The gentleman may answer. 

Mr. Walberg. Asking Mr. Powner. 

Mr. Powner. That is not my responsibility. 

[Simultaneous conversations.] 

Chairman Issa. The gentleman’s time is expired. If anyone else 
wants to answer November 30th, they may. Mr. Park, will it work 
on November 30th? Properly, fully? 
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Mr. Park. The team set a goal of having Healthcare.gov function 
smoothly for the vast majority of Americans. The team is working 
incredibly hard to meet that goal. 

Chairman ISSA. I thank the gentleman. 

Mr. Walberg. With secure information? 

Mr. Park. With secure information. 

Chairman ISSA. Thank you. The gentleman from Nevada. 

Mr. Horsford. Thank you, Mr. Chairman, and to the ranking 
member and to the other committee members, to our witnesses. 
This is an important hearing. Our constituents are rightfully con- 
cerned about their right to be able to access affordable health care 
on the website, Healthcare.gov. And while the rollout has been 
problematic, what has been more troubling is the fact that this has 
been turned into more of a game than it has been about how we 
can work together to fix the problems of the site. 

My concern is one of security of personal information. I also sit 
on the Homeland Security Committee, we are having a hearing 
also this morning on this subject. So I want to ask about the poten- 
tial security risks to consumers. Mr. Chao, do you agree that pro- 
tecting personal identifiable information on Healthcare.gov is im- 
portant and is something that can be achieved? 

Mr. Chao. I think that is something that we as CMS and as a 
Federal agency comply with, FISMA and OMB and NIST specifica- 
tions for securing people’s data, and then following HIPAA’s re- 
quirements for confidentiality, integrity and availability of data. 

Mr. Horsford. Can you explain how CMS protects consumer in- 
formation, how that is safeguarded by CMS? 

Mr. Chao. I think one of the things that is very obvious when 
you come to Healthcare.gov, and if you go to, in my opening re- 
marks I mentioned there are two sides to it, or two legs. If you go 
to the Get Insured side, one of the first things that you have to do 
is to register to establish an account. And we mentioned that reg- 
istrations are up to about 17,000 per hour right now. That registra- 
tion process allows you to establish what we call a level one assur- 
ance of assurance account, which is based upon the National Insti- 
tute of Standards and Technology. That is very similar to some- 
thing like what you would establish in terms of opening up a Gmail 
or Yahoo account, just very basic information. 

Mr. Horsford. Okay. Let’s move on to the next question. We are 
very limited on our time. 

Mr. Chao. So basically the answer is, it is about authenticating 
you, it is about, are you who you say you are before we let you into 
the system. And that is one major step in ensuring that people’s 
privacy is protected, so that they only see their own data. 

Mr. Horsford. And is Healthcare.gov any more or less risky to 
consumers than other sites, including private company information 
in the banking world or using credit cards to purchase information 
over the internet? 

Mr. Chao. I can’t speak for what privacy frameworks and pro- 
grams apply to private sectors. But for the Federal government, we 
follow the FISMA guidelines and the requirements set forth by cer- 
tain OMB directives. And we use independent security testing con- 
tractors to ensure that we comply. 
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Mr. Horsford. Mr. Park, you have spent some time with this 
website. Have you been able to understand the security features 
that are inherent in it? 

Mr. Park. That hasn’t been my particular focus on the team, no. 
There is a CMS security team dedicated to security matters. 

Mr. Horsford. Based on your review of that, do you believe the 
site poses any unreasonable risks to consumers? 

Mr. Park. I haven’t actually, again, dived into that personally. 
But my understanding is that CMS is applying its information se- 
curity best practices to the protection of the site. CMS has a great 
track record in protecting the privacy of Americans. 

Mr. Horsford. Mr. VanRoekel, I understand you worked on the 
data Hub. Can you explain why you believe consumers should have 
confidence that their information is secure as it passes through the 
Hub? 

Mr. VanRoekel. I didn’t actually code the Hub itself, so I didn’t 
do the day-to-day. But one thing that should be pointed out is that 
cyber security is part of everything we do. You almost can’t buy a 
keyboard in government now without having cyber security consid- 
erations on that. And we have built a culture of assessment and 
mitigation that is all about assessing the level of risk, it is low to 
high. And then you put into place technology to mitigate that risk, 
to make sure that we are protected. 

The standards that we abide by are the NIST standards which 
are actually co-developed with the private sector. So the banking 
industry, financial industry, insurance industries outside of govern- 
ment actually use the same standards as government does, and we 
hold government to those standards, and often in many cases lead 
those industries in the ability to do these things. 

The other aspect of this is, this is ongoing. You hear, I am sure, 
in the Homeland Security Committee, a lot around the fact that we 
have cyber security in what we do there, you have to do ongoing 
tests. You have to rapidly respond and assessments are never done. 
You have to just stay vigilant in those cases. 

Mr. Horsford. Thank you. Mr. Chairman, I would just say that 
this is not about playing offense or defense. It is about us getting 
this job done on behalf of the American people and working to- 
gether. I am rather insulted by this House Republican play- 
book — 

Mr. Meadows. [Presiding.] The gentleman’s time is expired. 

Mr. Horsford. — where it talks about ObamaCare 

Mr. Meadows. The gentleman from Oklahoma is recognized. 

Mr. Horsford. — the loss of insurance and what this means. This 
is not 

Mr. Meadows. The gentleman will suspend. The gentleman from 
Oklahoma is recognized. 

Mr. Lankford. Thank you, Mr. Chairman. Gentlemen, thank 
you. This is not a day that is probably a fun day for you, you prob- 
ably didn’t get up and go gosh, I can’t wait for this day. I get that, 
and I want to say thank you, because all of you are professionals 
that have given to public service. You all could make a lot more 
money in the private sector and you have chosen to serve people. 
We all have differences on opinion on direction and that kind of 
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stuff, but I want to say thank you to you as well for what you are 
doing, because you have made a conscious choice in that. 

Let me walk through a couple of things just to be able to get to 
some of the reality on it. About an hour and a half ago I went on 
my iPad, went to Healthcare.gov and hit this button that says cre- 
ate account. It doesn’t go anywhere. It just changes colors and does 
nothing. So I reloaded on this and for about an hour and a half I 
have just occasionally hit that button. 

This is the frustration, the struggle of a lot of folks out there. 
Then you all have the frustration, we get that. We have questions, 
though, as we walk through this process of now what happens. 

Mr. Park, you were asked a question earlier about the November 
30th time line. I assume Mr. Zients has laid that out there at the 
end of November, when everything would be ready and available. 
You said it is our goal. Can you give me more specifics? Are we 
going to hit November 30th? 

Mr. Park. Thank you for the question, and thank you for your 
kind words at the beginning as well. 

The goal that has been laid out is not for the site to be perfect 
by the end of November. 

Mr. Lankford. Functional, so people can log on? 

Mr. Park. So that the vast majority of Americans will be able to 
use the site smoothly. That is the goal we are gunning for. We are 
working very hard to get here. 

Mr. Lankford. So here is the issue. Around 5 million people 
have received a cancellation letter. I have multiple constituents 
that have sent me copies of their letters, all of them end with, your 
insurance policy concludes December 31st. If they cannot get on 
and log into the site by December 15th, they will not have access 
to insurance January 1st and they will be uninsured. People who 
are currently insured will not have insurance as of January 1st. 

So I understand the deadline is out there for March 31st, and all 
this kind of stuff on it. Those individuals who have received it by 
the millions cannot get insurance and on January 1st will be unin- 
sured. 

So I get that is the goal. But the reality is racing at us. And the 
comment has been made on it that we are trying to fix a plane that 
is in the air. I fully understand the complexities of that. The chal- 
lenge of it is that many of us had said, park the plane for a year, 
let’s get it right before we launch this thing. That is not your fault, 
you all are dealing with the realities that are on the ground. But 
that is something that we are trying to communicate on this. 

Mr. Chao, let me ask you something. September 27th, the ATO, 
the authorization to operate, in some of the committee staff that 
you had mentioned, that was a very long day as well, you visited 
with committee staff on it. During that conversation, there was a 
back and forth on this ATO coming out that Mr. James Kerr and 
yourself, that you had edited there, since Marilyn Tavenner. In 
that memo, you wrote, “Due to a system of readiness issues, the 
security control assessment was only partially completed. This con- 
stitutes a risk that must be mitigated to support the marketplace 
day one operations.” You were asked by staff, what are some of 
those risks that are out there, that are kind of the unknowns on 
it, that have to be mitigated. During that conversation, you had 
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listed things like unauthorized access, not encrypting data, identity 
theft, misrouted data, personal identifiable information, those are 
the kinds of the great unknowns of this, at that point. 

Then, am I tracking this correctly? Do you remember this? 

Mr. Chao. Yes. Those are examples that I was asked to provide. 

Mr. Lankford. Sure. The problem is that you are trying to miti- 
gate on things that you don’t know. I understand about mitigating 
on a risk. You mitigate on things that you know, is that correct? 

So on day one, Marilyn Tavenner is signing a document saying, 
there are risks that are out there. Some of those that you had list- 
ed, we are going to have to mitigate on those. Were we mitigating 
for every possibility on it? 

Mr. Chao. I think what you do is, on a risk-based approach, you 
look at the probability of a particular risk occurring and you 
prioritize. For example, one of the mitigation steps was to conduct 
weekly security testing and to report back to the Administrator on 
the result of that security testing. 

Mr. Lankford. During that testing process, did you find that 
some data was misrouted? Once it was launched? Are insurance 
companies getting information that is incorrect? 

Mr. Chao. There are cases in which insurance companies were 
getting data that were not incorrectly routed to them, but incor- 
rectly formatted within the transaction. 

Mr. Lankford. Do you know who briefed Marilyn Tavenner on 
the security risks? Because obviously she had to sign off on this 
document. Do you know who sat down with her and briefed her on 
the security risks, here are all the things we are trying to walk 
through? 

Mr. Chao. It was our chief information officer and chief informa- 
tion security officer. 

Mr. Lankford. Two other quick questions. Is there a way to be 
able to track what personal information any employees can see 
while they are working on this? Obviously you had a lot of contrac- 
tors involved in this, now we have added even more contractors 
trying to learn all those contractors, who they even are. Is there 
a way to be able to track? Because now there is personally identifi- 
able information in the system as well. Is there something in place 
that tracks what people who are working on the back end of the 
site can see as far as personally identifiable information? 

Mr. Chao. Yes. There are system logs. For example, if you call 
the call center and the call center representative is 

Mr. Lankford. I am talking about people working on the back 
end. 

Mr. Meadows. The gentleman’s time is expired. You can finish 
the question. 

Mr. Chao. In certain cases, yes. Like if you are in a testing envi- 
ronment. Very few people touch a production environment. So they 
wouldn’t even have access to that live data. Sometimes when we 
use testing data, you want to see the results, so you do have devel- 
opers having access to that information. But it is not live people’s 
data. 

Mr. Meadows. I thank the gentleman from Oklahoma. 

For the record, Mr. Chao, I wanted to point out, those items that 
you identified as particular inherent risks were identified by you 
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prior to the September 3rd memo that was introduced. I know the 
gentleman from Virginia had indicated that it was after that 
memo. But for the record, you indicated those prior to that memo 
being introduced by committee. 

Mr. Chao. I don’t quite understand what you are trying to say 
there. Because the question was asked, what examples, and it was 
in the context of the September 27th memo. You are saying Sep- 
tember 3rd. 

Mr. Meadows. You mentioned these risks because of the failure 
to do integrated security testing. 

Mr. Chao. I don’t believe I said failure. 

[Simultaneous conversations.] 

Mr. Chao. This is the problem, I don’t have the transcript in 
front of me, I cannot confirm with you. I was not given an oppor- 
tunity to make corrections, if there were corrections to be made. So 
you can tell me what you want, but all I can say is to the best of 
my knowledge, I don’t recall saying that. I need to see my tran- 
script. 

Mr. Meadows. The gentleman from Vermont, the distinguished 
gentleman from Vermont is recognized. 

Mr. Welch. Thank you, Mr. Chairman. 

First, I want to join Mr. Lankford in thanking each of you, Mr. 
Powner, Mr. Chao, Mr. Baitman, Mr. Park, Mr. VanRoekel, for the 
incredible effort that you are putting into trying to fix a very seri- 
ous problem. Thank you. 

Second, you don’t have to be an opponent or a supporter of the 
health care law to acknowledge that there are significant rollout 
problems associated with the website. Those of us who are sup- 
porters, and I am a very strong supporter of the health care law, 
are absolutely committed to providing the support you need to 
make this thing work. 

There are really four issues that we have that are rolling around. 
One is, the website, what we have to do to fix it, and it has to be 
fixed. Two is, what is the impact of these cancellation notices that 
a lot of Americans are receiving. They thought they had health are, 
they were assured that they could keep the policy that they had. 
And the problem gets compounded if the website is not working. 
And then third is the individual mandate that is the subtext of the 
debate, but that is essential to the law, but in order to make that 
work, the website has to work. And the fourth is the IT purchasing, 
are there some lessons that we can learn. I tend to think that it 
is really important to move ahead on the Issa-Connolly legislation. 

So that is the context that we are in. You are here to help us 
fix the problem. We have to get that done. 

So I want to start by just asking you, Mr. Park, if you could 
make some comments about, you would be repeating a little bit, 
but what are the specific things we can do to get this fixed? And 
I understand all of us would like to have a hard and firm date 
where everything is going to be perfect. But what we are dealing 
with is the real world, and we want it to be functional for the vast 
majority of Americans. So what are the ABCs that you need to do 
and hopefully not require you to sleep on the floor in the office at 
night? 
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Mr. Park. Thank you so much for the question . The team is tak- 
ing all the right steps under the leadership of Jeffrey Zients and 
Ms. Tavenner. So first of all, the team has implemented monitoring 
cross the site, improved monitoring to actually understand perform- 
ance of the system, and where are the issues and where to focus. 

Secondly, with the help of that data, the team has undertaken 
an aggressive program of improvements to actually improve the 
stability and performance of the site through tuning, system con- 
figurations, capacity expansion, et cetera, which has resulted in, 
among other things, the site being more stable, system response 
times going down, as I mentioned, from 8 seconds to less than a 
second. 

Thirdly, the team is working on functionality bugs. So high pri- 
ority issues with respect to the user interface and user experience. 
And that is actually being pursued very aggressively of course as 
well. 

Then finally, there is a bunch of work underway to keep improv- 
ing the software release process. So you can actually fix these 
issues faster and faster at a growing clip. 

Then you have QSSI having been brought in by Administrator 
Tavenner as the general contractor to manage this effort. And so 
it is all moving at increasing speed. 

Mr. Welch. How are we going to address the problem that Mr. 
Lankford had getting on the website, where he hit the enter button 
and it didn’t work for an hour and a half? 

Mr. Park. There has been a lot of progress on that front, and 
many more folks can get in now than previously, through both the 
ability for that particular component of the system to handle more 
volume through capacity expansion and software optimization. And 
also through bug fixes that have been applied. But actually, if Con- 
gressman Lankford would be so kind, I would love to follow up 
with you afterwards just to understand your specific situation. And 
then we can actually use that to inform the troubleshooting and 
the fixing. 

Mr. Welch. I would really like it if you did, because that is a 
fair question. 

Mr. Lankford. If the gentleman would yield for just one second. 

Mr. Welch. Yes. 

Mr. Lankford. It is pretty straightforward. I just got to that 
page and hit the button, it changed colors and did nothing. So it 
is nothing more than that, as far as moving in to just to log in to 
create an account. 

Mr. Welch. Mr. Powner, do you have some concrete suggestions 
about what we can do as a Congress to make it more efficient and 
more effective when we are making significant IT purchases on be- 
half of the American taxpayer? 

Mr. Powner. I have a couple very specific suggestions, and I am 
going to go back to my oral statement. We are down in the weeds 
on what needs to be done to fix it, and the program management 
needs to be in place. But the IT dashboard, there are 700 major 
IT investments. This is one of them. It was green. Given the late 
start, the compressed schedule and the complexity, does anyone 
think it was really a green project? I don’t think so. It should not 
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have been green. There should have been flags on the dashboard 
and better transparency. 

The other thing is proactive governance. We look at the IT re- 
form plan, things in the FITAR bill legislation. Proactive govern- 
ance is very important. It is great and I am pleased that Steve and 
Todd and everyone is involved now. But we need that governance 
up front on important projects, not when things go in the tank. We 
need it up front. It is the same thing with when projects go in the 
tank, we get engaged with the contractor more. Why don’t we en- 
gage with the contractor, engage with the right executives, up front 
instead of when we have problems? I know there are a lot of 
projects and a lot of priorities. But we need to find a way to tackle 
that better. 

Mr. Welch. Thank you. I yield back. 

Mr. Meadows. I thank the gentleman from Vermont. The gen- 
tleman from Pennsylvania, Mr. Meehan, is recognized. 

Mr. Meehan. I thank the chairman, and I to want to join in this 
sentiment, that I appreciate that you are legitimately trying to 
work on this. We all are. And I happen to chair the Cyber Sub- 
committee on Homeland in addition, and have great concerns and 
frustrations. I think I reflect many of the people out there that 
with the concept of frustration, because in many ways, when I talk 
to my folks at home, this isn’t about a website, it is about trust. 
It is about this inherent trust that they have in the relationship 
with their doctor is now being impacted. And the very trust they 
have in the ability for this system not only to operate but to oper- 
ate securely. 

Now, I know this is sort of outside, I was stunned when I heard 
the question the other day that the Secretary said yes, we can have 
felons that are operating as navigators. What is going to be done 
from this point forward to assure that no felon will be used as a 
navigator anywhere in the United States? Mr. VanRoekel? 

Mr. VanRoekel. In the context of this system, that is sort of a 
health policy decision, it is not a tech decision. 

Mr. Meehan. Mr. Chao, is there anything that can be done? Will 
you participate in getting something done? 

Mr. Chao. I think CMS is actively performing background inves- 
tigations. 

Mr. Meehan. Well, that is not what the Secretary said. Look, 
please look into that for me. That is not my line of questioning, but 
I move into this whole issue of trust. Again, trust, we had Ms. 
Tavenner and you before our committee testifying about the readi- 
ness in July and August of this, to ready to go. I just look at the 
background of, this is the IG’s report to Congress on FISMA. One 
of the things that Ms. Tavenner and you were talking about was 
compliance with FISMA and therefore, when you look at HHS, the 
IGs came out, the second worst score in every agency across gov- 
ernment, HHS. A 50 percent compliance with FISMA. The second 
worst in all of government. 

So we are already dealing, again, with a question of trust. So let 
me just get to the heart of our engagement. Because I was so frus- 
trated, I couldn’t understand how an IG’s report, Mr. Chao, could 
have suggested that there were great concerns about the ability to 
be ready in time to conduct the testing. And you assured me at 
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that time that they were on schedule and you were going to meet 
all the requirements for the testing, as did Ms. Tavenner. 

Now, we were told before the marketplace systems were allowed 
to operate, they had to comply with all of the rigorous standards. 
Yet at the same time that you were testifying before me, I had a 
Washington Post story that was saying staffers were aware by late 
2012 that the work of building the Federal exchange was lagging. 
Employees warned at meetings late last year and in January that 
so many things were behind schedule, there would be no time for 
adequate end to end testing of how the moving parts worked to- 
gether. 

So how was it done, then, that in this short time frame, where 
their own employees are saying it couldn’t be done, the IG said 
that there were tremendous concerns about the ability to do the 
testing, somehow the day before our committee had you before us, 
there was a report from the Secretary that said, all of our market- 
place systems are allowed to operate and begin serving consumers, 
and I am pleased to report that the Hub completed its independent 
security control assessment on August 23rd? 

Mr. Chao. The Hub was tested first, and it was completed in Au- 
gust, as you mentioned. I think the remainder of August and into 
September, we concluded the third round of testing for the market- 
place systems, particularly for the functions that were needed for 
October 1st. 

Mr. Meehan. How could you do the testing on the system? Be- 
cause you have reported, but here is the document that came out 
from CGI. At the very time you were saying to me that this was, 
this had been certified as complete, by the certifying agency and 
Tavenner was here testifying that it was done, you have at the 
same time an internal memo from CGI saying that the FFM sched- 
ule was only 51 percent completed, on the same day you are telling 
me that the certification has been finished. How can you complete 
and certify when they haven’t even built more than half of the sys- 
tem? 

Mr. Chao. I don’t know what document you are holding, but I 
am assuming that in August, 51 percent is about where we were 
at. Remember, we still have other key functions, such as payment, 
risk adjustment, reconciliation. 

Mr. Meehan. How do you give certification when it is only 51 
percent complete? 

Mr. Meadows. The gentleman’s time is expired. 

Mr. Chao. Because you test the components, the parts of the sys- 
tem that go into production and that are actually interacting with 
the public. 

Mr. Meadows. The gentleman’s time is expired. 

We recognize the gentleman from Massachusetts, Mr. Tierney. 

Mr. Tierney. Thank you very much. 

Mr. Chao, do you feel you have had adequate opportunity to an- 
swer that last question? Or do you have other things you want to 
add? 

Mr. Chao. I think I got my last word in. 

Mr. Tierney. Thanks. So earlier this morning, at the beginning 
of the hearing, Chairman Issa asked you about the anonymous 
shopper function. Do you recall that? 
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Mr. Chao. Yes. 

Mr. Tierney. You said you had decided to direct CGI to disable 
it because of defects, and Chairman Issa challenged you and ac- 
cused the White House of ordering the action for political reasons. 
Do you recall that? 

Mr. Chao. Yes. 

Chairman ISSA. Would the gentleman yield? 

Mr. Tierney. No. 

So during that phrase, also I think Chairman Issa handed you 
a document, and I think it is probably still with you there. 

Mr. Chao. Yes. 

Mr. Tierney. And the chairman gave you the document that said 
it showed that there were no defects in the system. It does say that 
the function is anonymous shopper, does say the CGI said it tested 
successfully. Then he has blown up a box, over a number of the 
other statements made on the right hand side of that box. It just 
says 9/22 this feature will be turned off on day one, October 1. 

Now, I have given you a sheet there, I believe staff has given you 
a sheet there that is clean from those boxes, and just as the origi- 
nal document without the chairman’s blowups on there obstructing 
any of the other materials. Do you have that document? 

Mr. Chao. I think so. Is it this one? 

Mr. Tierney. Yes. So that is the original document. ON the bot- 
tom right, will you read for me the last, the statement there start- 
ing with defects identified? 

Mr. Chao. Defects identified by CMS being treated as critical 
target fixes for 9/12. 

Mr. Tierney. And that is, in fact, what you testified to, right, 
that you had found defects? 

Mr. Chao. Yes. 

Mr. Tierney. As you read up from that box, you found that there 
were defects that you decided to disable the shopper function and 
focus instead on plan compare? 

Mr. Chao. Correct. 

Mr. Tierney. Why did you do that? 

Mr. Chao. Because if given the opportunity to choose a more crit- 
ical function, plan compare is much more critical in the path of a 
consumer being able to enroll in health care as compared to the 
ability to browse. 

Mr. Tierney. So you thought that was the best priority and you 
focused attention on that? 

Mr. Chao. At that time, yes, given the CGI resources that were 
available. And actually, there was a subsequent date, I think, I 
would have to locate the documentation. We did do another round 
of testing post-9/12 and it was still failing. 

Mr. Tierney. So you disagree with CGI, they thought it tested 
successfully and you instead had this ongoing belief that it tested 
unsuccessfully, there were defects and that is why you made the 
decision to switch your priorities to the other? 

Mr. Chao. Correct, because the report that I would look at is 
from our ACA independent testers, not from CGI. 

Mr. Tierney. And, in fact, that is why the shopper function was 
disabled, correct? 
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Mr. Chao. Correct, based on the report from the independent 
testers. 

Mr. Tierney. So when Chairman Issa stated on national tele- 
vision that the White House ordered you as CMS to disable the 
shopper function in September for political reasons to avoid con- 
sumer sticker shock, that is not true, is it? 

Chairman ISSA. I object. The gentleman may not mischaracterize 
my statement. 

Mr. Tierney. The gentleman may not object in the middle of 
somebody else’s questioning. If questions go through the chair, 
which you don’t currently occupy, and I will continue my ques- 
tioning of Mr. Chao. 

Chairman Issa. Mr. Chairman, point of privilege. 

Mr. Meadows. The gentleman is recognized. 

Chairman Issa. The gentleman is repeatedly disparaging and 
mischaracterizing what I have said. Could the chair please direct 
all members, if they want to allege a quote, ensure that it is a 
quote and not in fact a characterization that is inaccurate, as the 
gentleman’s is? 

Mr. Meadows. The chair would remind each and every member 
here to direct their comments, without personality, and directing 
those comments to make sure that they are reflected as to not 
make a personal attack. 

Mr. Tierney. Well, that is well said. I don’t know of any personal 
attacks, so I assume you are directing that at somebody else. 

But I will read a quote on October 27th, from Chairman Issa on 
national television. Here it is: “Contractors have already told us 
that, in fact, people represented that the White House was telling 
them they needed these changes, including instead of a simple ’let 
me shop for a program then decided to register’ they were forced 
to register and go through all the things they have slowed down 
in the website before they could find out about a price.” 

The contractors the chairman referred to were CGI, but CGI offi- 
cials have denied ever saying such a thing. Nevertheless, he went 
on to claim the White House, “buried the information about the 
high cost of ObamaCare” in order to avoid consumer “sticker 
shock.” And that is not why you made the decision to disable that 
program of anonymous shopper, is it, Mr. Chao? 

Mr. Chao. Just as I answered before, absolutely not. 

Mr. Tierney. Thank you. I yield back. No, I yield to my col- 
league. 

Mr. Cummings. I just want to address this to Chairman Issa. 
When speaking to Mr. Connolly earlier, you referred to a letter 
sent to you on November 6th. It is not a letter I sent jointly with 
Mr. Connolly, so he did not read that letter. That letter was about 
MITRE security testing document provided to the committee. 
MITRE told us that like any website security documents, they are 
sensitive, and their release potentially could give hackers hints on 
how to break into the system. 

So I asked you to treat those documents with sensitivity, to con- 
sult with me before making them public. You tried to use my letter 
to argue that the system is not secure, but that is not what I said. 
Every security testing document for every IT system, no matter 
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how secure the system is, is sensitive. Every security testing docu- 
ment could give ill-meaning individuals help in causing mischief. 

These documents do not mean there are problems with the secu- 
rity of the system. I just wanted to clear that up. And I yield back. 

Mr. Tierney. I yield back as well. 

Mr. Meadows. Thank you. The gentleman’s time is expired 

Mr. Chao, I know that you have made a number of comments 
with regard to your sworn testimony and what you recall or don’t. 
I would make it available to you for your reference there at the 
desk, if you would like to have that, in case there are other ques- 
tions that are asked regarding that. 

Mr. Chao. Thank you, but I probably would need some time to 
go over it. 

Mr. Meadows. So you need time to review what you have said 
previously on the record? 

Mr. Chao. It was nine hours worth of interview questions. 

Mr. Meadows. Okay. As soon as the hearing is over, if you would 
like to come back and review this, we will be glad to make it avail- 
able to you. 

With that, I recognize the gentleman from Tennessee, Mr. 
DesJarlais. 

Mr. DesJarlais. Thank you, Mr. Chairman. Welcome. I know 
that the hearing is getting long and here has been a lot of ques- 
tioning going on. But there is no doubt that eh American people 
want some answers about this huge investment in a rollout of a 
website that certainly didn’t go as planned. It has been a learning 
experience, it has been an educational experience. 

Mr. Park, looking back, knowing what you know how, looking at 
the rollout in October, give a letter grade to the rollout of 
ObamaCare, A through F. 

Mr. Park. That is an interesting question. In terms of the rollout 
of the website, it has obviously been really, really rocky. I kind of 
hesitate to assign a letter grade to it. But it is what nobody want- 
ed. 

Mr. DesJarlais. I think the people appreciate honesty. You don’t 
have to fail it, but what do you think it was, A through F? 

Mr. Park. I think it depends on the user. There were some users 
able to get through, and there were other users, a lot of users who 
couldn’t. 

Mr. DesJarlais. So you are not going to give it a grade? 

Mr. Park. I think that kind of oversimplifies it. 

Mr. DesJarlais. Maybe. But there are a lot of people watching 
who want answers. And this is a complex issue. So just maybe for 
simplification, they would like to know that a lot of people who are 
responsible for rolling this out don’t think that it went very well. 
To listen to this hearing, it doesn’t really sound like a lot of you 
think it was that abysmal of a failure. This hearing started out 
with the ranking member talking about how this is a Republican 
issue, how we are out to destroy health care or the health care law, 
how we are trying to repeal it, how we are trying to not have this 
hearing to see if we can make this succeed. 

Bottom line is, a lot of money was invested in this and people 
do want answers. So it is complex, but yet in a simple fashion I 
think people would like to hear that hey, we screwed up. 
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Mr. Chao, could you give it a letter grade? 

Mr. Chao. I agree with Todd that it is highly subjective. 

Mr. DesJarlais. Okay. Fair enough. 

Will anybody give it a letter grade? 

Chairman ISSA. Would the gentleman yield? 

Mr. DesJarlais. Mr. Chairman. 

Chairman Issa. Perhaps we could have it as a pass-fail, a little 
less subjective. 

Mr. DesJarlais. Yes, that would be less complicated. Would you 
give it a pass or a fail, Mr. Park? 

Mr. Park. Again, I don’t want to reduce it to something that — 
just to be clear, all of us are frustrated about how the site rolled 
out. None of us think it went well. All of us think it was incredibly 
rocky and we are incredibly focused on trying to fix it and make 
it better. And it is getting better week after week after week. 

Mr. DesJarlais. Okay, so knowing what we know now, Mr. 
Chao, you testified that you were given your marching orders, but 
yet, I don’t think the October 1st date was immovable. Would you 
agree with that? 

Mr. Chao. I don’t have the luxury of determining what date is 
movable or not movable. I was given October 1st as a delivery date, 
and that is what I targeted. 

Mr. DesJarlais. Knowing what you know now, would you have 
pushed harder to have the date moved back? 

Mr. Chao. That is pure speculation. 

Mr. DesJarlais. How can it be speculation? You know what you 
know now. 

Mr. Chao. Because I wasn’t in a position to choose a date. 

Mr. DesJarlais. I am asking today, sitting here today, testifying 
in front of this committee, knowing what you know now, would you 
have pushed harder to move the date back? 

Mr. Chao. I go by what I said. 

Mr. DesJarlais. So you would let history repeat itself. 

Mr. Chao. That is not what I said. 

Mr. DesJarlais. Mr. Park, would you have 

Mr. Chao. That is not what I said. 

Mr. DesJarlais. Okay, Mr. Park, would you, knowing what you 
know now, ask to have this delayed or pushed back? 

Mr. Park. I don’t actually have a really detailed knowledge base 
of what actually happened pre-October 1. I don’t know what levers 
were available. So I would hesitate to make any point now. 

Mr. DesJarlais. So once again, we spent over a half a billion 
dollars of taxpayer money and no one who is responsible for the 
rollout is willing to say that we should have done things dif- 
ferently. The President doesn’t know it, but first of all, we were 
trying to save the American people from a bad law by all that we 
just went through over the past few months. And really, we were 
trying to save the President from himself. He needed to sit down 
and talk with us about delaying this, and nobody sitting on this 
panel, after seeing what a failure this has been over the past 
month, is willing to step up and say, yes, we should have delayed 
this. Is that what I am hearing? I didn’t give everyone a chance. 
Does anyone want to speak to that? 
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Chairman Issa. Perhaps the GAO could comment on whether or 
not this was a site that in retrospect should have been launched 
on October 1st and serviced that full six people while millions of 
people were unable to get through. 

Mr. Powner. Clearly, knowing what we know now, a delay in 
rollout would have made sense. But the thing is, we are not privy 
to who knew what when in terms of the test results and all that 
kind of stuff. That is where we don’t have insight into that. 

Mr. DesJarlais. Okay, well, a lot of these regulations, Mr. Chao, 
were delayed until after the election. Do you have any reason why 
a lot of the regulations that probably caused a lot of these problems 
were delayed until after the election? 

Chairman ISSA. [Presiding] The gentleman’s time is expired. The 
gentleman may answer. 

Mr. Chao. I don’t have the scope, it is not within my scope to 
cover when regulations get released or not. 

Chairman Issa. Does anyone know? Mr. Park, you were chief 
technology. Mr. VanRoekel, your organization owned the question 
of whether or not in a timely fashion these regulations were cre- 
ated. 

Mr. VanRoekel. No, that is actually a mischaracterization of my 
organization’s role. We and my team are tech policy people, not 
health policy people related to regulations. 

Chairman ISSA. But whether the trains run on time, where there 
are things implementing laws, isn’t that what OMB does? 

Mr. VanRoekel. My role in OMB is to set government-wide pol- 
icy to look at government-wide communication of budget. 

Chairman Issa. So we should get the OMB director in here and 
find out why after three and a half years things weren’t done so 
that this could be launched for the American people in a timely 
fashion. I guess we could get a couple of OMB directors. 

The gentleman’s time is expired. The gentleman from Missouri 
is recognized for five minutes. 

Mr. Clay. Thank you, Mr. Chairman, and thank you for attempt- 
ing to get answers to your questions on Healthcare.gov. My ques- 
tions today will focus on the Federal contract between CMS to CGI 
Federal, to set up Healthcare.gov. If any other witnesses, including 
Mr. Powner, care to comment on my question, please feel free to 
jump in. 

Mr. Chao, in your testimony today you stated that CMS con- 
tracted with CGI Federal to build a federally-facilitated market- 
place system, including the eligibility and enrollment system. Ac- 
cording to the Washington Post, this contract is worth $93.7 mil- 
lion. 

How much money from this contract has already been awarded 
to CGI? 

Mr. Chao. I don’t have the exact figures. 

Mr. Clay. What incentives and disincentives were in the contract 
for CGI Federal to successfully fulfill their contract to roll out 
Healthcare.gov? 

Mr. Chao. I think as with, starting at the highest level of the 
Federal Acquisition Regulation has very specific guidance about 
contracting and the contracting framework in which you will then 
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award IT contracts, with specifications for something like the mar- 
ketplace. 

Mr. Clay. And they are still working on the website, CGI Fed- 
eral? 

Mr. Chao. Yes. 

Mr. Clay. And they have been paid how much to this point? 

Mr. Chao. I don’t have the exact figures in front of me. 

Mr. Clay. And are you pleased with the product you received 
from CGI Federal? 

Mr. Chao. I think as Todd mentioned, we are all 

Mr. Clay. Look, we have a responsibility as an oversight com- 
mittee, and that is to protect taxpayer dollars. And so I am asking 
specific questions about the taxpayers’ dollars. Perhaps Mr. Powner 
can shed some light on that. Have we paid CGI Federal yet? 

Mr. Powner. I don’t know specifically what went to CGI. We do 
know that the government has paid IT funding over $600 million. 
That is what we do know. 

Mr. Clay. Okay, tell me about the structure of the contract, then. 
If they perform, then they should get paid, correct? 

Mr. Chao. I think how this contract is formulated is that there 
is a performance element to it. So there is a based set of costs that 
are factored into performing the work. 

And then during certain review periods, they could receive a per- 
formance kind of incentive. But I would have to get back to you on 
exactly how that works, because I don’t run the contract. 

Mr. Clay. Would you share with this committee how they are 
going to be paid for the work performed already? Are they still 
working on Healthcare.gov? Since they messed it up in the first 
place, are they still on it? 

Mr. Chao. They are the contractor that does the development, as 
well as ongoing operations and maintenance. So yes, they are still 
working on it. 

Mr. Clay. Mr. Powner, can you shed some light on this? 

Mr. Powner. Yes. I would just like to say that we sit here and 
talk about contractor fault, government fault, government is at 
fault here too on the requirements point of view. It is clear that 
from a requirement perspective there is fault on the government 
side. Congressman Clay, we went through this with the Census Bu- 
reau, with the handhelds, same situation. 

Mr. Clay. Same situation. 

Mr. Powner. Same situation. 

Mr. Clay. But we corrected it. 

Mr. Powner. Ill-defined requirements, we overspent, we came in, 
fixed it. But it is the same situation, ill-defined requirements, ques- 
tions, there are all kinds of questions across the board. 

Mr. Clay. Okay. I have been told that this was simply lazy Fed- 
eral contracting. What are the failures of CMS in policing the CGI 
contract to ensure that the rollout of Healthcare.gov would be a 
success? What are the failures? Can anybody tell me? I’m going to 
go back to CMS. 

Mr. Powner. Executive oversight. I think there is a fundamental 
question. There are to be investment boards in place with these 
agencies and departments. The questions are, what meetings oc- 
curred, who attended, what risks were discussed, what follow-up 
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occurred, how timely were those meetings. That is really what we 
need to look at. 

Mr. Clay. Well, and from a taxpayer perspective, these are mil- 
lions of dollars going to a failed product. I don’t think they are 
happy. And with that, Mr. Chairman, I yield back. 

Mr. Cummings. Would the gentleman yield? 

Mr. Clay. I don’t have time. 

Chairman Issa. I would ask unanimous consent the ranking 
member have 30 seconds. The gentleman is recognized. 

Mr. Cummings. Mr. Park, we have had a lot of bad news in this 
hearing. Can you just again tell us where we are and the progress 
we are making, you are making? 

Mr. Park. It is the progress the team is making, I am just a 
small part of the team. But the team is working really hard to 
make progress week after week, just some numbers, which are al- 
ways helpful, right? As I mentioned previously, the average system 
response time, which is the time it takes a page to render a request 
to be fulfilled of a user was eight seconds on average a few weeks 
ago, it is now under a second. Another measure is the system error 
rate, which is the rate at which you experience errors in the mar- 
ketplace application. That was over 6 percent a few weeks ago, now 
it is actually at 1 percent and actually getting lower than that. 

So really good progress, still much, much more to do. A lot of 
work to do. But there is a system and a pattern of attack in place, 
as I mentioned earlier, around monitoring, production stability 
work, functional bug fixing and improvement of these processes. 

Mr. Clay. Would the ranking member yield? 

Chairman Issa. The Chairman would yield to the gentleman 
from Missouri. 

Mr. Clay. Thank you, Mr. Chairman. Mr. Park, what contractors 
are working on fixing the site? Isn’t CGI one of them, CGI Federal? 

Mr. Park. CGI is one. And CMS of course is the manager of all 
the contracts, they could give you the most comprehensive answer. 
But CGI is one, yes. 

Mr. Clay. Thanks. 

Chairman ISSA. I thank all of you, and Mr. Park, in case it isn’t 
said again in this hearing, we believe that what you are doing 
today is important. I think what GAO has said is, there wasn’t a 
single point of contact, an expert in charge in a timely fashion that 
would be accountable and coordinate that would, if you will, sleep 
on their floor if that is what it took, before October 1st. So that is 
the big reason we are here today, but I think that is where GAO 
is making the point to all of us that the next time there is one of 
these, we need to have somebody, perhaps not of your stature, but 
as close as we can come, there in the months and years preceding 
it. 

We now go to the gentleman from South Carolina, Mr. Gowdy. 

Mr. Gowdy. Thank you, Mr. Chairman. 

Mr. Park, do you agree that there is a difference between an in- 
nocent misstatement of a perceived fact and a deliberate attempt 
to deceive? 

Mr. Park. Yes. 

Mr. Gowdy. So do I. When did you first realize that you couldn’t 
keep your health insurance even if you did like it, period? 



94 


Mr. Park. Again, that is kind of a health policy matter, that is 
really outside my lane. 

Mr. Gowdy. You don’t know when you first realized that you 
couldn’t keep your health insurance, even if you liked it, period? 

Mr. Park. I don’t recall, no. 

Mr. Gowdy. Would you agree with me that credibility or the lack 
thereof in one area of life can impact credibility or the lack thereof 
in another area of life? 

Mr. Park. I suppose it could. 

Mr. Gowdy. In your written testimony, you wrote, “As you know, 
October 1st was the launch date of the new website, 
Healthcare.gov.” And I did know that. I just didn’t know why. And 
I am going to read to you a quote from Secretary Sebelius. She 
said, and I will paraphrase it initially, that she was hurried into 
producing a website by October 1st because the law required it. 
Now I will read you the direct quote. “In an ideal world, there 
would have been a lot more testing. We did not have the luxury 
of that, with a law that said it is go-time on October 1st.” 

Mr. Park, I don’t know what ideal world she is referring to. So 
I am going to stick with the one we are in. What law was she ref- 
erencing? What law required this website to launch on October 1st? 

Mr. Park. I can’t really speak for Secretary Sebelius. 

Mr. Gowdy. I am not asking you to speak for her. I am asking 
you, what law was she referring to? Is there a law that required 
this website to launch on October 1st? 

Mr. Park. Again, that is a health policy, legal matter. 

Mr. Gowdy. It is actually a legal question. Do you know if there 
is a law that requires this website to launch on October 1st, or do 
you know whether it was just an arbitrary date that the Adminis- 
tration settled on? 

Mr. Park. I actually do not. 

Mr. Gowdy. Would you find that to be important, whether or not 
we really had to go October 1st, given the fact that we weren’t 
ready to go October 1st? Would you find that relevant, whether or 
not we actually had to launch a substandard product? 

Mr. Park. Sir, I am, respectfully, just a technology guy. 

Mr. Gowdy. Don’t short yourself. You are the smartest one in the 
room. 

Mr. Park. That is not true, sir. 

Mr. Gowdy. Trust me. I have been in this room for a while. It 
is true. 

[Laughter.] 

Mr. Gowdy. There is no law that requires that. So what Sec- 
retary Sebelius said was patently false. There is no law that re- 
quired a go-time on October 1st. 

But I want to move to another component of her quote. Some of 
us don’t consider testing to be a luxury. But let’s assume arguendo 
that she is right, that additional testing would have been a luxury 
that would have been nice to have. How much more testing would 
you have done prior to launching? 

Mr. Park. I am not even familiar with the development and test- 
ing regimen that happened prior to October 1. So I can’t really 
opine about that. 
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Mr. Gowdy. Let me ask you this. Because you are the smartest 
one in the room, and very good at what you do, where the heck 
were you for the first 184 weeks? If you are being asked to fix this 
after October 1st, in a couple of weeks, where were you for the first 
184 after the so-called Affordable Care Act passed? Where did they 
have you hidden? 

Mr. Park. Sir, in my role at the White House as USCTO in the 
Office of Science and Technology Policy, I am a technology and in- 
novation policy advisor. So I had a broad portfolio of responsibil- 
ities. 

Mr. Gowdy. But you are obviously good enough that they 
brought you in to fix what was broken. It has been called a train 
wreck. That is not fair to train wrecks. It has been called other 
things. They brought you in to fix it. Why didn’t they bring you in 
to start it? Why are you doing a reclamation project? Why didn’t 
you build it? 

Mr. Park. I am part of an all-hands-on-deck effort to mobilize 
across the Administration to actually help under Jeff Zients’ lead- 
ership. And in the lead-up to October 1, that wasn’t part of my role. 

Mr. Gowdy. When will it be operational to your satisfaction? 

Mr. Park. We have a goal that the team is pursuing with tre- 
mendous intensity. 

Mr. Gowdy. How many more weeks? Because I am going to get 
asked when I go home. I know you can appreciate that. I am going 
to get asked. When will it be operational? When will it be as good 
as it can get? Because you will concede the first 184 weeks did not 
go swimmingly. Is it going to be another 184 weeks? 

Mr. Park. Sir, I think the honest answer is that there is a team 
of incredibly dedicated public servants working hard on it. 

Mr. Gowdy. I get all that. I am looking for a number. We can 
interpret the poem later. I am looking for a number. 

Mr. Park. They are working hard to have the site functioning by 
the end of this month smoothly for the vast majority of Americans. 
That is the goal. 

Chairman Issa. The gentleman’s time is expired. I might stipu- 
late for the record that Mr. Park was at HHS at the time of pas- 
sage, and for that roughly first two years. So his expertise does 
come out of the origin of ObamaCare. 

Mr. Gowdy. My question, Mr. Chairman, was simply if he is 
good enough to be brought in to fix it after the locomotive has 
crashed off the mountainside, where in the hell was he for the first 
184 weeks when it was being broken? Why wait until it has 
crashed? If he is a savant, and I am convinced he is, where has he 
been? I know the Obama girl was missing. I think they found her, 
actually, the lady from the website, I think they found her. But 
where has he been? 

Chairman ISSA. The gentleman’s time is expired. We now go to 
the gentleman from Texas. Would the gentleman yield for just 10 
seconds? 

Mr. Farenthold. Certainly. 

Chairman ISSA. I want to make a statement, and Mr. Gowdy, you 
are right on that they should have had the A team on this and 
some of the people here today clearly were there for the train 
wreck. I want to note that Mr. Park’s duties did not include over- 
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seeing this website, and I do appreciate the fact that it appears as 
though in 60 days they are going to make right what wasn’t ready 
on October 1st. I think that is what the gentleman wants to be able 
to explain back home, is that we have been told that November 
30th, this will work reasonably well. In other words, a 60-day delay 
or less could have allowed this to be launched in a timely fashion. 
I thank the gentleman and ask that his full time be restored. 

Mr. Farenthold. Thank you very much. 

I do want to follow up on that, Mr. Park. There are a lot of hedge 
words in there, vast majority of Americans, mostly working. Am I 
going to be able to go to the IRS and say, it didn’t work for me, 
I couldn’t get my insurance, I am not going to be fined? You have 
to tell us when it is going to be in good shape. Can you give us 
a date? Is the end of the month realistic? 

Mr. Park. The team is working really hard to hit that goal. That 
is what I am able to say right now, sir. 

Mr. Farenthold. As a former web developer, that is what I was 
telling clients when we were going to miss a deadline, we are work- 
ing real hard to meet it. And I am a former web developer, cer- 
tainly nothing of this scope. But with $600 million I probably could 
have put together a team to do it, and do a better job. 

But I am not going to throw the contractor under the bus. I think 
it is too much money, a lot of issues there. But one of the biggest 
struggle we had when we were developing websites was getting 
stuff from the client, whether it was their copy for the text of the 
website or whether it was the specifications. The copy we could 
change pretty quick, we could just cut and paste it out of the email 
into an HTML editor or content manager. 

But when the actual specifications for how it goes change up to 
the last minute, it is very difficult to do. Mr. Chao, how late were 
there substantial changes being ordered to the website? Do you 
have a time frame how long before that October 1st launch? 

Mr. Chao. I don’t think there were any substantial changes or- 
dered. It was more a standard practice of looking at how much 
time you have left, watching your schedule very closely and the pri- 
orities that are set by the business. 

Mr. Farenthold. And then figuring out which corners to cut. 

I want to follow up on a couple of questions that some other folks 
asked that I didn’t think got completely answered. Mr. Jordan 
asked you, Mr. Chao, if it was thoroughly tested. You said yes, it 
was thoroughly tested. Mr. Jordan didn’t ask the next follow-up 
question, how did it do on those tests, did it pass? 

Mr. Chao. If I said thoroughly, I apologize. 

Mr. Farenthold. Maybe he said it was tested. 

Mr. Chao. It was tested under the prescribed, we were talking 
about security testing. So I was saying that it was tested under the 
prescribed security controls. 

Mr. Farenthold. And let me follow up with Mr. Park on some- 
thing Mr. Lankford asked. He was concerned about either members 
of your team or other folks having access to sensitive data. Those 
days you were sleeping on the floor, could you have walked in to 
a server with a thumb drive and walked out with people’s personal 
information like Mr. Snowden? Are those security risks there? 

Mr. Park. No, I could not have. No. 
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Mr. Farenthold. That is a little bit reassuring. 

Let me also ask Mr. Chao or Mr. Powner, with respect to the pri- 
vate sector, if there is a data breach or a compromise, your credit 
card information or your personal information gets released, there 
is a Federal law requiring notice. I just got a notice from a major 
software company that my credit card had been compromised. Will 
we find out if our information on Healthcare.gov is compromised? 
Is there a notice requirement? Is there something in place? Will we 
know if that information has been hacked and is public? 

Mr. Chao. Yes, there are actually several laws and rules that 
apply, particularly with disclosing any incident or breach that in- 
volves a person’s information. 

Mr. Farenthold. Okay, so there are no special exemptions in 
ObamaCare. We will hopefully find out. 

Again, I am just concerned. We are at a time right now where 
the trust in government has never been lower. We have the whole 
NSA-Snowden incident, we have the IRS looking at people for po- 
litical purposes. You will excuse me if I am concerned that we have 
a massive website that is a target for hackers that a lot of people 
have information to that by definition reaches out and touches the 
IRS and Social Security computers. Whenever you connect com- 
puters together you open pathways to hackers. So I am very con- 
cerned about the security issues. I just want to make sure we are 
going to know if there are some problems that they are not going 
to be swept under the rug for political purposes. 

Mr. Chao. We worked closely with Frank Baitman’s security op- 
erations at the Department level as well as extensive computer 
testing. 

Mr. Farenthold. And finally, Mr. Chao, you stated earlier in 
your testimony that the anonymous shopping feature, which I 
would love to see, I don’t think it is even in place now, but it was 
disabled before the election. We can talk about political purposes 
or not. 

Chairman Issa. I think the gentleman is saying before the Octo- 
ber 1st launch. 

Mr. Farenthold. It was deleted. Why wasn’t the October 1st 
deadline push back because it didn’t work? Why wasn’t the whole 
thing delayed? When you delayed the anonymous shopping part, 
the part we all feel most safe about, going and finding out how 
much it will cost without revealing personal information, you de- 
layed that, why didn’t you delay the whole thing when you knew 
it wasn’t going to work? 

Mr. Chao. I think anonymous shopper was a very narrow slice 
of looking at what the tradeoffs would be in putting something into 
production as opposed to 

Mr. Farenthold. Again, I am sorry, I am out of time. But I do 
want to say, with my lack of trust in the Federal Government now, 
I am loathe to put my personal information in and would love to 
shop anonymously, just like I did on some of the private exchanges 
in Texas as I look for what I am going to about my personal health 
care. I don’t think you have to give up your personal information 
to get prices for something. You don’t have to do it on an airline 
website, you don’t have to do it on Amazon and you shouldn’t have 
to do it on Healthcare.gov. 



98 


I yield back. 

Chairman ISSA. I thank the gentleman. 

Is the gentlelady from New Mexico prepared to go? 

Ms. Lujan Grisham. Yes, Mr. Chairman, I believe so. 

Chairman ISSA. You are recognized. Thanks for coming back. 

Ms. Lujan Grisham. Absolutely, thank you. 

Actually, before we start, I realize I wasn’t here for this state- 
ment, but I want to echo what my colleague Congressman 
Lankford said about gaps in coverage. Coming from a State with 
nearly 25 percent uninsured, two things have occurred. One, people 
who as of October 1st couldn’t get on the website and are con- 
tinuing to follow this issue very closely, their individual or family 
plans expired or were expiring and so they went off the exchange, 
because they can’t get on, and purchased brand new policies for an- 
other year. Unlike the small businesses, they are in that now for 
a year. And they are paying much higher rates than they would 
have could they have gotten on the individual exchange, because 
New Mexico is a partnership State. 

Then second, as December 15th looms ever closer, we know that 
that is another important deadline for many individual plans. We 
have the same issue and I am very concerned about that, and I ap- 
preciate that it was brought up. So I told you about what we are 
working through. We have been fighting for a long time in New 
Mexico to find ways to have access to affordable coverage. I need, 
we need, my constituents need this website to work. We need to en- 
roll in the exchange. I know you have heard all day long that we 
are all frustrated. They are frustrated, I am frustrated. And while 
I wish that we had better solutions for them earlier on, my biggest 
concern is that we are reaching a critical point in the implementa- 
tion time line. 

In order to ensure that there is no gap in coverage between plan 
years, individuals and families who would like to choose a plan 
from the exchanges, as I said earlier in my remarks, have to be en- 
rolled by December 15th. Your stated goal of fixing the website by 
the end of November leaves very little room for error. And I know 
it is not easy. But while you are here, I just want to make sure 
that for the record, we are emphasizing that there is real urgency 
here. 

Mr. Park, I think that you have a deep appreciation for how 
transformative good technology can be. But I would like to know 
if this is a time constraint that you are aware of, and also more 
broadly if you feel the same urgency that I do about getting the site 
operational for as many users as possible. 

Mr. Park. Absolutely. 

Ms. Lujan Grisham. All right, then, I can imagine that leaving 
your office for at least an entire day would have pretty important 
impacts on your work fixing the website. What would you be doing 
if you weren’t here today? 

Mr. Park. I would be working with the team on the site. 

Ms. Lujan Grisham. So Mr. Park, I wish that you were working 
on Healthcare.gov, on the website, right now. And part of this com- 
mittee’s job is to ensure that you have all the tools and resources 
that you need to do your job. What else can we do to assist you 
to get this done? 
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Mr. Park. Well, again, I am a small part of the broad team that 
is working incredibly hard, led by Administrator Tavenner and Jeff 
Zients, and the CMS team. I would say just one member of the 
team who could be responsive to that. And there are requests for 
assistance, that would be correct. 

Ms. Lujan Grisham. Great. I think we are going to need more 
clarity about that. I also agree with this committee’s efforts to talk 
about reforming IT procurement. I don’t know if today is the day 
to try to deal with those best practices. Given that States do it 
poorly and the Federal Government is doing it poorly and that we 
have spent millions I guess, the whole Country analysis, billions of 
dollars on IT projects that haven’t done well anywhere in the pub- 
lic center. We have to figure out a better way to do that. I hope 
that this committee will continue to lead that effort in a bipartisan 
way. 

But I want to go back to the situation that we are in. I want to 
be results-oriented. I want to solve these problems. I feel like we 
shouldn’t’ be pulling a surgeon from the operating room today. So 
thank you, Mr. Park. I yield back. 

Mr. Park. May I just make one more statement? 

Mr. Cummings. I just wanted you to yield. 

Mr. Park. So do you yield? 

Ms. Lujan Grisham. I do. 

Mr. Park. I just wanted to actually not lose the second to last 
thread that you started, which was IT procurement. I think that 
is a phenomenally important issue. This committee has done ter- 
rific work on it, I think you can actually do more. So I would love 
to see a high energy bipartisan effort attacking this issue from 
multiple dimensions. I know less about it than many people on this 
committee. What I do know is that there is not a single silver bul- 
let. There are decades of practices and rules and laws that have ac- 
tually led to where we are now. But I think with a concerted effort, 
high energy effort, bipartisan effort that we could actually take this 
out and deliver better, faster, higher return results to the Amer- 
ican people. 

Chairman ISSA. I ask unanimous consent the gentlelady have an 
additional 30 seconds. Without objection, so ordered. And would 
you yield to the ranking member? 

Ms. Lujan Grisham. Yes. 

Mr. Cummings. Thank you. 

Chairman Issa. The gentleman is recognized. 

Mr. Cummings. I want to just get to the bottom line here. What 
will happen is that people are sitting there, and I agree with the 
gentlelady, looking at results, when we go back to what happened 
with Lankford and he was trying to get on the page, Mr. Park, and 
he couldn’t get there, could you talk about that for a minute? Be- 
cause that is real. 

And there are probably people watching us right now who are 
trying to get on the page. Can you tell us what you are doing and 
how that affects things like that? Because they have reporters now 
that sit on telecasts, and they say, I waited an hour, I waited two 
hours. So tell us how that relates to what you are doing, so our 
constituents can have some kind of assurances that things are 
going to get better. Do you follow me? 
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Mr. Park. Absolutely, sir. Thank you for the question. 

I will just answer it quickly, because I know we have limited 
time. One, there have been dramatic improvements in the ability 
to, as a consumer, create an account and get on the site. And all 
the metrics that we are seeing, that has been a function of basi- 
cally improving the ability of that pat so it can handle volume 
through capacity expansion, software work and also fixing bugs. So 
many, many more people are actually able to get through now than 
at the beginning. 

That being said, it is not perfect yet, so I actually would really 
love to follow up with the Congressman to understand his par- 
ticular use case and dial that back to work with the team. 

Also, there are folks who early on got caught in the middle of 
that cycle and are stuck there. Those are folks that CMS is now 
reaching out to, as we talked about earlier in the hearing, to actu- 
ally get them through the process cleanly. So it is an issue that ac- 
tually I think has been in large part addressed but there is still 
work to do. I do want to follow up with the Congressman and un- 
derstand the specific use case he has had and his situation so we 
can figure that out. 

Chairman ISSA. Thank you. 

Now as we go to Mr. Massie, who from a standpoint of his edu- 
cation and known IQ, could in fact rival you as the smartest guy 
in the room. 

Mr. Massie. No, I am from the trade school that is a mile down 
the river from your arts school that you attended. 

Chairman Issa. You had better share that with the rest of the 
world. 

Mr. Massie. I went to MIT, you went to Harvard. 

Mr. Park. You could definitely kick my butt, sir. 

[Laughter.] 

Mr. Massie. Maybe we could share some numbers later. I am 
sure we share an affinity for numbers. 

But first I want to talk about the final security control assess- 
ment that was prepared by MITRE, and just read a little bit of 
that. It says MITRE was unable to adequately test the confiden- 
tiality and integrity of the HIX access in full. The majority of 
MITRE’s testing efforts were focused on testing the expected 
functionality of the application. Complete end-to-end testing of the 
application never occurred. 

So this was MITRE’s final security control assessment. And we 
are throwing around a lot of three-letter acronyms, HIX, CMS, 
ATO. But I have a document that has CYA written all over it here, 
Mr. Chao. You wrote a letter, and this is the final ATO, or author- 
ity to operate, to Marilyn Tavenner, which she signed off on. In 
this letter, you stated, “Due to systems readiness issues, the SCA,” 
and that is security control assessment, “was only partly com- 
pleted. This constitutes a risk that must be accepted and mitigated 
to support the marketplace day one operations.” 

In this sentence here, and this was written on September 27th, 
or certainly signed off on September 27th, were you trying to tell 
your boss that there is a risk and I am not going to accept it, but 
you must accept this risk, we can either delay the date or we can 
accept the security risk? 
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Mr. Chao. I think I was outlining more of a generalized risk ac- 
ceptance with a fairly significant rollout of the marketplace system. 

Mr. Massie. But that risk existed because there had never been 
an end-to-end security test on this, is that true? That is basically 
what the letter states here. 

Mr. Chao. I think in previous testimony I have also said that 
end-to-end is a highly subjective term. 

Mr. Massie. If it is subjective, how are you going to get it done 
in 60 to 90 days? 

Mr. Chao. It depends on the scope of what you are trying to put 
in production. 

Mr. Massie. Well, the scope is, is our data safe? Is the personal 
information that Americans enter into the system going to be safe? 
For instance, in this same letter, and it is a very short letter, 
signed by Marilyn Tavenner on September 27th, you suggest that 
we conduct a full security control assessment, so I will let you de- 
fine what that is, in a stable environment, which implies that you 
don’t have a stable environment right now, where all security con- 
trols can be tested within 60 to 90 days of going live on October 
1st. 

Here is what troubles me about this letter. You are basically say- 
ing, look, we can go live but there are going to be security risks. 
But let’s test it on real people’s data, on real personal information. 
Let’s test it for 60 to 90 days. 

Mr. Chao. No, that is not what I said. That is not what the 
memo alludes to. When we do security testing, we don’t do it in 
terms of using live people’s data. We do security testing in a pre- 
implementation environment prior 

Mr. Massie. Well, I would contend we are beyond pre-implemen- 
tation. We are testing this in the real market and it is failing. 

You said that the format of this ATO is not typical, is that true? 

Mr. Chao. It is true. 

Mr. Massie. So you have never seen that sort of format before. 
Is it a problem that you were not given the final security control 
assessment prior to authoring the ATO, authorization to 

Mr. Chao. I don’t think that is necessarily a problem, because 
my staff were copied on it. 

Mr. Massie. But you didn’t get to see it. You said, actually I 
didn’t get a copy of the final ATO. 

Mr. Chao. Correct. 

Mr. Massie. Those are your words. 

Mr. Chao. Because I was with the information systems security 
officer in Herndon when these tests were being conducted. It was 
determined that there was no high finding 

Mr. Massie. As the person with responsibility for the authoriza- 
tion to operate, I think you should have been at your desk reading 
the final security control assessment. 

Mr. Chao. I was there in person. 

Mr. Massie. But I am glad to see that you covered yourself by 
putting this sentence in here. 

Mr. Chao. That was not to cover myself. That was a decision 
memo between her and I. 
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Mr. Massie. Are any among you today willing to bet your job 
that thousands of people’s personal data won’t be released because 
of implementation of this website? 

Chairman ISSA. That is certainly a yes or no question. 

Mr. Massie. That is a yes or no question. 

Mr. Chao. They are trying to ask us to predict something that 
security vulnerabilities are as, some folks have mentioned before, 
it happens every day. That is why we do security testing. 

Mr. Massie. Obviously from the documents here, you weren’t 
comfortable with this, you were trying to transmit to your boss, let 
me just read your words again, “This constitutes a risk that must 
be accepted and mitigated to support the marketplace day one op- 
erations.” In other words, to launch this thing by October 1st you 
were telling your boss she is going to have to accept some risks 
that are not normal for this. 

[Simultaneous conversations.] 

Chairman Issa. Quickly. The gentleman’s time is expired. 

Mr. Massie. Okay. Mr. Park, we have Mr. Chao saying 17,000 
users an hour can subscribe. And we have Mr. Lankford who has 
been waiting for over an hour and a half. We have five orders of 
magnitude difference between those two numbers. Which is closer 
to the truth? 

Chairman Issa. The gentleman may answer. 

Mr. Massie. How many people an hour are able to enroll in 
healthcare? 

Chairman Issa. The gentleman previously said 17,000. Is that 
correct? 

Mr. Park. Seventeen thousand registrations for new account per 
hour is the number that we have. 

Mr. Massie. I imagine you have a war room somewhere where 
you are directing these operations and you have some big number. 
The only number that matters, how many are enrolling? How many 
are enrolling right now per hour? Can you tell us? 

Mr. Park. Actually what the war room tracks 

Mr. Massie. Just a number. Come on. We both love numbers. 

Chairman ISSA. Let the gentleman answer. Your time is expired, 
please. It is a Harvard-MIT problem, I think. 

[Laughter.] 

Mr. Park. In terms of enrollment numbers, those are going to be 
released by the Administration shortly. 

Chairman Issa. I thank the gentleman. We now go to the gen- 
tleman from Pennsylvania, Mr. Cartwright. 

Mr. Cartwright. Thank you, Mr. Chairman. 

The Affordable Care Act was passed into law in 2010. It seeks 
to increase competition in the marketplace, to help bring down 
health care costs. It ends the practice of denying coverage to those 
with pre-existing conditions, bans annual and lifetime limits on 
health care benefits, it also enable parents to keep their children 
on health care until they are 26 years old, and it makes small busi- 
nesses eligible for tax credits to ease the burden of employee cov- 
erage. 

The law also works to strengthen Medicare and will make pre- 
scription coverage for seniors more affordable. These tax credits are 
desperately needed in my district, where nearly 9.4 percent of my 
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constituents live below the poverty line; 70,000, that is 10.5 per- 
cent, do not have health insurance in my district, including 6,500 
children. They will be able to utilize the subsidies offered under the 
Affordable Care Act finally to get health care. 

Now, I also want to get to the bottom of what is going on with 
this website, Healthcare.gov, and I support oversight hearings for 
that purpose. However, this hearing, like so many previous hear- 
ings this committee has held, is clearly an extension of the politi- 
cally motivated repeal or delay agenda that some of my friends on 
the other side of the aisle have been pushing since this law was 
first passed in 2010. 

It seems to me that if the chairman really were so worried about 
getting this website fixed, so that people could actually access af- 
fordable health care, he would not have subpoenaed Mr. Park to 
come in and testify today. In fact, Mr. Park agreed to testify before 
this committee just two and a half weeks later. But the chairman 
refused that offer and subpoenaed him anyway. The chairman’s 
subpoena, combined with the constant releasing of partial tran- 
scripts, taking witnesses’ quotes out of context, it seems like it is 
part of a predetermined political strategy rather than a construc- 
tive effort to conduct responsible oversight as this committee is 
supposed to do. 

In fact, although the chairman claimed otherwise in his opening 
statement here today, the House Republican Conference is politi- 
cizing this issue. And here is the proof. They have issued a play- 
book to Republican Members, and they actually call it that, a play- 
book, right on the cover of the thing. It doesn’t say how to fix prob- 
lems with the website or improve the process, or work to ensure 
Americans health care. It tells them how to exploit any challenges 
or glitches for their own political gain. 

I am not saying all Republicans are doing this. But it certainly 
seems to me in this forum that the chairman of this committee is. 

Chairman Issa. Would the gentleman like to place that into the 
record? Because I haven’t seen it. 

Mr. Cartwright. Yes. 

Chairman ISSA. Without objection, so ordered. 

Mr. Cartwright. It is my hope that we can have oversight with- 
out this kind of gamesmanship and partisan politics as this com- 
mittee has been able to do in the past. I really would like to get 
to the bottom of what is going on with the website, because I want 
my constituents to be able to sign up for quality, affordable health 
care. 

Mr. Chao, on November 7th, Chairman Issa issued a press re- 
lease with the headline “AACA Testing Bulletin: Healthcare.gov 
Could Only Handle 1,100 Users Day Before Launch.” He then ac- 
cused Jay Carney and Mr. Park of making false statements to the 
American people by suggesting that officials estimated capacity at 
about 60,000. That is what the chairman said, “Jay Carney is being 
paid to say things that aren’t so. But in this case, Todd Park and 
other people who knew the facts, who had to know the facts, and 
the facts were from documents we received from lead contractors 
that slowed down to an unacceptable level at 1,100 users. Well, in 
fact, Todd Park was telling us that at 60,000 was the target and 
at 250,000 they just couldn’t handle it.” 
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As the basis for that allegation, the chairman quoted from a test- 
ing document that he released which says this, “Ran performance 
testing overnight in IMP1B environment, working with CGI to tune 
the FFM environment to be able to handle maximum load. Cur- 
rently we are able to reach 1,100 users before response time gets 
too high.” 

Mr. Chao, it is my understanding that the IMP1B environment 
was only a sample testing environment, not a test of the full pro- 
duction capacity of the entire website. Am I correct in that? 

Chairman ISSA. The gentleman’s time has expired, but the gen- 
tleman may answer. 

Mr. Chao. You are correct, the what we call implementation IB 
environment is about 10 percent the size of the full production en- 
vironment. 

Mr. Cartwright. Thank you. I yield back. 

Chairman Issa. I thank you. We now go to the gentleman, Mr. 
Meadows. Mr. Meadows, would you yield for just 10 seconds for a 
comment? 

Mr. Meadows. Certainly, Mr. Chairman. 

Chairman Issa. I never could quite understand how this thing 
could handle 60,000 simultaneous users but only do six in a day. 
So maybe unlike some of the smart people here, I just don’t get it. 
But six in a day doesn’t seem like 60,000 simultaneous users. I 
thank the gentleman. 

Mr. Meadows. Thank you, Mr. Chairman, and thank each one 
of you for coming to testify. Mr. Park, you are not old enough prob- 
ably to remember this, but I remember the Six Million Dollar Man. 
You are now the $600 million man, because you are coming in to 
fix all this. So we are hopeful that you, based on the people that 
I represent, that you are successful by November 30th. 

We do want to ask you, though, how do we define success? Be- 
cause the talking points are all that it is going to be fixed for the 
vast majority of Americans as they go on. And we see Mr. Lankford 
here, he can’t get on. So what is success? Is it a 98 percent without 
wait time? How do we define success so on December 1st, we will 
know whether you were worth $600 million or not? 

Mr. Park. Thank you for your comment sand your question. First 
of all, I am just a small part of the team working to fix this. 

Mr. Meadows. So what is success? 

Mr. Park. Success is, first of all the site will most definitely not 
be perfect. 

Mr. Meadows. But when the President asks you, were you suc- 
cessful, how do you define success? 

Mr. Park. First of all, on a system that is stable, so it is actually 
up and running consistently. 

Mr. Meadows. What percentage of the time? Ninety-eight per- 
cent of the time? 

Mr. Park. One proxy that we are using actually is, for its per- 
formance in general is response time and error rate. And if the sys- 
tem actually has issues and goes down then actually these things 
can then exacerbate those rates. 

Mr. Meadows. I am going to run out of time. What I would ask 
you to do is, for the record, get to the committee what we can look 
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to so we can disseminate to all of America on what success is, so 
on December 1st, we will all know. 

Mr. Park. I will take that back, absolutely. 

Mr. Meadows. All right, thank you. 

Mr. Chao, much of your testimony is, I have read some of your 
testimony and it seems to be a little different. But I also know that 
you had several meetings, ongoing meetings with White House 
staff over this process, is that correct? 

Mr. Chao. I accompanied Marilyn Tavenner and other directors, 
such as Gary Cohen. 

Mr. Meadows. So how many times were you at the White 
House? 

Mr. Chao. Over the course of three years, maybe less than two 
dozen times. 

Mr. Meadows. Because the logs suggest 29 times, is that correct? 
Would that be in the ballpark? 

Mr. Chao. That might not be accurate, because some meetings 
were 

Mr. Meadows. Who conducted these meetings? Jeanne 
Lambrew? 

Mr. Chao. I believe her name is pronounced Lambrew. There 
were meetings conducted by her. Also, I met with Steve VanRoekel. 

Mr. Meadows. In those meetings? So you all were a part of those 
meetings? 

Mr. Chao. No Steve chaired a 

Mr. Meadows. I am asking about the White House meetings. So 
there were 29 White House meetings of which you had this group. 
Who were the people in the room? Were you in there? 

Mr. Chao. I am not trying to be difficult, but there are different 
parts of the White House. There is a White House conference cen- 
ter. 

Mr. Meadows. Okay, the meetings with Jeanne, she was leading, 
the 29 meetings, about two dozen. 

Mr. Chao. That was probably less than a handful. 

Mr. Meadows. Okay. I guess my question is, I am a little con- 
fused how the President would be surprised that this was such a 
debacle on October 1st if you all were meeting regularly with the 
White House. Why would they be surprised on October 1st that it 
didn’t roll out the way everybody thought it should? 

Mr. Chao. I think the subject matter, at least with my attend- 
ance being there, was to discuss things such as the status of the 
Hub development. 

Mr. Meadows. So did anybody express concern that there was a 
problem, that October 1st there was going to be a problem? 

Mr. Chao. No. 

Mr. Meadows. There was no one in that room? We had all the 
brightest minds in the world in this room and no one anticipated 
a problem on October 1st? 

Mr. Chao. They were highly specific issues, such as working on 
6103 requirements with IRS, Privacy Act implementation with 
SSA, they are very operationally specific. 

Mr. Meadows. So you all weren’t meeting on how the website 
was going to work? 
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Mr. Chao. Not meetings — my meetings were more operationally 
focused about implementation. 

Mr. Meadows. So it is plausible that the President would be sur- 
prised that this wasn’t going to work, based on those meetings? 

Mr. Chao. I wouldn’t know that. 

Mr. Meadows. So who would have been in the best position to 
be able to advise the President that we were going to have this un- 
mitigated mess? Anybody in that room? Who should we bring back 
here, I guess is what I am saying, Mr. Chao, that can help the 
American people understand why this was such a fiasco? 

Mr. Chao. I really don’t have an answer to that. 

Mr. Meadows. Mr. Chairman, I yield back. It is amazing how we 
could find how you can’t answer a simple question for the Amer- 
ican people. 

Mr. Chao. I don’t think that is for me to decide. 

Mr. Meadows. I asked the question. It is for you to answer. 

Mr. Chao. Okay, so my answer is, it is not really for me to de- 
cide. 

Chairman ISSA. Mr. Meadows, your time is expired and I strong- 
ly suspect that as is often said in politics, success has many fa- 
thers, quite a few mothers, plenty of relatives, but failure is an or- 
phan. You are going to find an orphan here, if I have ever heard 
or seen one. 

With that, the patient gentleman from Massachusetts, Mr. 
Lynch, is recognized. 

Mr. Lynch. Thank you, Mr. Chairman. 

I want to thank the members of the panel for coming forward 
and their willingness to help the committee with its work. 

I do want to say just at the outset that my experience in Massa- 
chusetts with the Massachusetts health care, so-called 
RomneyCare, that was a precursor to this in many ways, I am 
speaking of the Affordable Care Act, also rolled out very, very slow- 
ly. That is my experience, being on the ground in Massachusetts 
when that plan went forward. So it was very slow in ramping up. 
Of course it didn’t have the urgency of this program. It was sort 
of planned that way. 

I also remember the Medicare Part D Act, which was a Repub- 
lican initiative, also rolled out extremely slowly. I know a lot of my 
seniors, I had to do 16 town halls around my district to try to tamp 
down the backlash because of the slowness of how that was ramped 
up. So this is not, this experience is not out of line with those other 
two programs. So I just wanted to make that note. 

I have had a chance to go out and talk to some of the outreach 
workers. A lot of the outreach on the Affordable Care Act in my 
district is being conducted through the local community health cen- 
ters. I have basically an urban district. So the health center em- 
ployees are going out and signing people up. 

One of the concerns that they have raised is that the Affordable 
Care Act is so focused and sort of facilitated by an email address. 
People have to have an email address in order to interact with this 
whole thing. If you look at the demographic of the 31 million people 
who we are trying to get health care to that were not receiving 
health care before, the poor, the elderly, that is a high correlation 
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between folks who didn’t get health care before and don’t have an 
email. 

So the outreach workers, when I said what is your biggest prob- 
lem, they said, well, when we are working with the elderly and we 
are working with low income families, the poor, they don’t have an 
email address. And the system we have is basically, it requires an 
email address. To do it otherwise, to scratch that itch, we are some- 
how going to have to close that gap. Because a lot of these folks 
don’t have email addresses and yet they are the very people that 
we are trying to get health care to. 

Has any thought been given to, look, this was supposed to be the 
easy part, getting people up on the grid. I am not talking about 
making health care affordable or high quality health care or mak- 
ing sure access is there. Just getting up on the grid, this was sup- 
posed to be the easy part. 

So I am concerned, I am concerned about where we are today 
and where we need to get to in order to meet any definition of suc- 
cess. So what are we doing about those people, who don’t have an 
email address because they are poor or elderly, they are not on the 
grid? How are we going at them? Anybody got an idea? 

Mr. Chao. We do operate call centers. We have 12 call centers 
in which people can work with a live person online to fill out the 
application and to go through their determination process and to 
select a plan. 

Mr. Lynch. Yes, but at least the workers I have talked to have 
said it is like 31 or 34 pages. Do they have to go through a 34 page 
application on the phone? 

Mr. Chao. I think what happens, the call center experience is, 
isn’t you are necessarily filling out a paper application. You can 
start that way and submit it that way. But I think you can also 
start with a call center representative. 

Mr. Lynch. Well, I am not so sure that is working. That might 
be part of our problem. I have a district where I have a lot of sen- 
iors, a lot of folks that are struggling. So we have to figure that 
one out. 

Mr. Chao. We can certainly confirm that, that process or that 
procedure. 

Mr. Lynch. That will help. 

The other situation is this. At the same time that we are trying 
to get this up, get people on the grid, we have employers that are 
making decisions not to continue health care plans for their em- 
ployees. So they are unplugging and they are sending people to the 
exchanges. So I have employers out there, a lot of them in the con- 
struction industry, that are saying, I know I used to provide health 
care for you, but now I want you to go to the exchanges and get 
them. So they are unplugging, they used to provide health care. 
And now these employees in the construction industry are trying 
to plug in. And they are having these problems. 

I am wondering, is there any way to sort of make sure that that 
unplugging doesn’t occur until we have a platform that we are con- 
fident people can plug into? I think there is going to be a gap here. 
It concerns me greatly that we have so many people in the con- 
struction industry that are, and I have met with union employers, 
about 50 union employers and about 35 non-union or open shop 
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employers that are both having the same problem. I think there is 
a mismatch in what is going on here, where the employers are dis- 
engaging and sending their employees to the exchanges. And when 
they try to go to the exchanges, they are having problems signing 
up. I am wondering if there is some corrective action that we might 
be able to take, either delaying the process for employers to dis- 
engage or just giving people time to hook into the system that is 
not ready for prime time. 

Chairman ISSA. The gentleman’s time is expired. The gentleman 
may answer. If the gentleman would yield just briefly? 

Mr. Lynch. Sure. 

Chairman ISSA. I was hoping you would suggest the question of, 
can’t we do this by mail. 

[Laughter.] 

Mr. Lynch. That is an inside joke. 

Chairman Issa. But in all seriousness, the fact is that if some- 
body doesn’t have email capability, why couldn’t they make a call 
to a call center, receive those many pages, fill out that paperwork, 
return it in a self-addressed stamped envelope, so that in fact the 
Post Office could ensure that the elderly people not comfortable 
with email and so on. 

Mr. Lynch. Well, it is just my thought, and I won’t take longer 
time than you did, but I know that generally, we are trying to get 
away from a paper process. So I suppose as a little inefficient it 
might be necessary, but it is not the ideal now. 

Mr. Chao. Could I just answer that? It is not really, we are not 
considering that as a last resort, because paper is a last resort, but 
we do make accommodation, if you want to start the process in 
paper, you can, and then mail it in to our eligibility support worker 
contract, which will then take you through the rest of the process. 

Chairman Issa. I thank you. 

And with that we go to the gentleman from Michigan, Mr. 
Amash. 

Mr. Amash. Thank you, Mr. Chairman. I am going to yield my 
time to my friend, the gentleman from Ohio, Mr. Jordan. 

Chairman Issa. The gentleman from Ohio is recognized, and 
without objection, the gentleman from Ohio will be able to control 
the time. 

Mr. Jordan. I thank the gentleman for yielding. 

Mr. Park, Mr. Meadows asked the pertinent question. There 
were a series of meetings held at the White House, weekly meet- 
ings that were presided over by folks in the White House. Mr. 
Meadows asked who were those people who need to come in front 
of this committee who can answer the questions. The questions 
like, why didn’t you know that the security assessment wasn’t com- 
pletely done end-to-end testing? Who can answer the questions 
about why you decided to go ahead and launch this on October 1st? 

And we know who that person is, because according to the Wash- 
ington Post story, November 2nd, a memo that they got from David 
Cutler spells it out. Mr. Cutler said, we need to put someone from 
the private sector in charge, someone who has run a business, 
someone who has that kind of experience and expertise. And the 
President said no, he had already put in the article, he had already 
made up his mind, Nancy Ann DeParle is that person. 
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So that is the person we need, Mr. Chairman. 

And Mr. Cutler also points out, Mr. Meadows referenced this as 
well, according to the memo, the overall head of implementation in- 
side HHS was Jeanne Lambrew. So those are the two people we 
need. Would you agree, Mr. Park, they need to come here and tell 
us what took place, why these decisions were made, why it was 
done the way it was done, these are the two key people? This is 
the lady the President said, no, that is who I want in charge. Even 
though Peter Orzaq, Larry Summers, Zeke Emmanuel and David 
Cutler said, put someone else in charge, the President said, no, I 
want Nancy Ann DeParle in charge, don’t you think she should 
come in front of this committee, Mr. Park? 

Mr. Park. Respectfully, I can’t really speak to that, sir. 

Mr. Jordan. I know. We are probably going to have to do the 
same thing for her that we did for you, we are going to have to sub- 
poena them. Because yesterday, last week, the Chairman and I 
sent a letter to the White House asking that simple question, 
would Ms. DeParle, the person hand-picked by the President to run 
this operation, would she come in front of this committee and tes- 
tify about this disaster this rollout has been, and would Ms. 
Lambrew come as well. And the response we got back yesterday 
from the White House was, thank you for inviting us, but we are 
not coming. 

So it looks like we are going to have to do the same thing, Mr. 
Chairman, that we had to do with Mr. Park, to get the two key 
people to come here. 

Now, according to White House logs, Mr. Chao, you testified you 
had been there been 10 and 29 times to these meetings, and Mr. 
Park, nine times according to White House logs, you have been to 
nine of these where Jeanne Lambrew ran the meeting. Is that cor- 
rect, Mr. Park, you went to the White House when Ms. Lambrew 
ran these weekly meetings? 

Mr. Park. I can’t verify that. 

Mr. Jordan. But that is what the visitors log says. Were you in 
meetings with Nancy Ann DeParle and Jeanne Lambrew at the 
White House? 

Mr. Park. From time to time, yes. 

Mr. Jordan. And of course the meetings were about the rollout 
of the Affordable Care Act and the website? 

Mr. Park. As I recall, there were different kinds of meetings that 
I attended from time to time. 

Mr. Jordan. Were they about ObamaCare, Mr. Park? 

Mr. Park. They were about the Affordable Care Act. 

Mr. Jordan. Right. And what is your official title? You are head 
of information technology for the entire United States? That is your 
title? So I assume it was about information technology, correct? 

Mr. Park. No, actually, sir, first of all, I am a technology and in- 
novation policy advisor in the Office of Science and Technology Pol- 
icy. So I am not the head of IT for the U.S. Government, just to 
clarify. And I can’t actually recall, like for the meetings, what par- 
ticular topics were discussed, off the top of my head. So unless 
there is more specificity. 

Mr. Jordan. At any time during these nine different meetings 
you had, or more, for that matter, meetings you had, was the roll- 
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out of ObamaCare discussed and the concerns about this thing not 
being ready on October 1st? 

Mr. Park. Again, without more specificity 

Mr. Jordan. Mr. Chao, on these meetings, who ran the meetings 
that you attended 29 times at the White House? Who was in 
charge of running the meetings then? Were any of those meetings 
run by Ms. Lambrew or Ms. DeParle? 

Mr. Chao. I don’t think it was 29 times. 

Mr. Jordan. You testified between 10 and 29. So whatever the 
numbers, in those meetings when you were at the White House, 
were any of those run by Jeanne Lambrew or Nancy Ann DeParle? 

Mr. Chao. One was run by Nancy Ann and one, just a couple I 
attended that was with Jeanne Lambrew. And as I mentioned be- 
fore, my role was to provide a five-minute status on Hub develop- 
ment. 

Mr. Jordan. I am not worried so much about your role. I just 
want to establish the fact that you were at the White House be- 
tween 10 and 29 times. Mr. Park was there nine times. Mr. 
VanRoekel, how many times were you in these weekly meetings at 
the White House? 

Mr. VanRoekel. I don’t recall. I didn’t attend any weekly meet- 
ings. 

Mr. Jordan. Were you in any meetings with Jeanne Lambrew or 
Nancy Ann DeParle? 

Mr. VanRoekel. I have been in the company of those two people. 

Mr. Jordan. Regarding the Affordable Care Act? 

Mr. VanRoekel. Maybe once or twice. 

Mr. Jordan. Okay. Mr. Chairman, my time is expired. But those 
are the two people, those are the individuals that need to come in 
front of this committee. And we can’t accept the fact that we get 
a letter from the White House that says thank you, but we are not 
coming. 

Chairman Issa. I thank the gentleman. I would note for all mem- 
bers that there is a vote out on the Floor. We are going to go until 
the very last minute. What I would ask is, if Mr. Bentivolio or Mrs. 
Lummis, do either of you have specific questions for Mr. Park? 

Mrs. Lummis. I do not. 

Chairman Issa. Then Mr. Park, because we would otherwise 
keep you for longer than I think is necessary, I want to thank you 
for being here. I apologize to the other witnesses, you get to stay 
through the vote. But Mr. Park, you have been a very cooperative 
witness. I appreciate your being here. I believe you are being here 
as a person we are going to look to to get this right by November 
30th. It was critical I appreciate your being here and without objec- 
tion, you are dismissed. 

Mr. Park. Sir, just one more request? 

Chairman Issa. Sure. 

Mr. Park. Would someone send me contact info for Congressman 
Lankford, just so I can follow up? 

Chairman ISSA. We will have that contact information given to 
you. I will do one other thing quickly. If when you go back, since 
you are a Federal employee, go to the FEHBP website. What you 
will find there in a .pdf form is a spreadsheet. Now, Mr. Chao 
seems to think that it was not important to give people a shopping 
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list. But I will tell you, if you are Federal employee, postal or non- 
postal, you can go to that website, you can look at every single plan 
and it will tell you how much the annual rate is, the bi-weekly 
rate, how much your government pays for you and how much you 
will pay by plan. 

Now, that doesn’t let you endlessly look at the details of the plan. 
But for 230-plus plans spread over not just 50 States but the Dis- 
trict of Columbia and Puerto Rico, we provide this to the Federal 
workforce. I might suggest that if you can’t get some form of legiti- 
mate, open shopping list up quickly, that currently telling people 
what their rate is, if they are 27 or 50, is disingenuous, because 
it distorts what the real rates are. And that a splash page like this, 
or a .pdf, so people could look at all the plans, and by age, depend- 
ing upon what their age is, they would know what the rate is, 
could be done in a matter of hours by a tenth grader. 

And that might suffice until this program is available. 

Mr. Chao. Can I make a comment really quickly? In my oral re- 
marks, I mentioned that we are working on a premium estimation 
tool that will give you more details than just the very coarse under 
49, over 50, so that you can browse plans. We are working on that. 

Chairman Issa. But understand, your under 50 is 27, your over 
50 is 50. That misstates, because it is age-based, it misstates the 
truth. If you were picking it, you should have picked 64 and 29, 
and you would have gotten much higher rates, if you are going to 
give anecdotal. But the truth is, a simple spreadsheet that Micro- 
soft, forget about Microsoft, Supercalc could have given you that 
spreadsheet before many of my staff were born. And that could 
have been made available very quickly. 

So I might suggest that the American people deserve to know 
that a plan based on their age is X amount and a free look would 
be very helpful. I commend you to look at FEHBP and what we do 
for ourselves as Federal employees. 

And with that, I am going to go to the gentleman from Michigan, 
I believe we have time. Mr. Bentivolio. 

Mr. Bentivolio. Thank you very much, Mr. Chairman. 

Gentlemen, are you familiar with Brook’s law? Anybody? Brook’s 
law? That is the first thing you learn in software development. You 
need to divert developers to training new developers you added to 
the project, which kind of tells me that November 30th rollout is 
another hope and a dream. 

Are you familiar with this, Information Technology, Critical Fac- 
tors Underlying Successful Major Acquisitions, dated October 2011, 
nine best practices? 

Mr. Chao. I think I perused it. 

Mr. Bentivolio. Oh, good. So you are familiar with, well, you pe- 
rused it, you didn’t study it, apparently you didn’t. 

Mr. Chao. I was busy working on the marketplace program. So 
I don’t have a whole lot of time to read a lot of other materials. 

Mr. Bentivolio. Are you familiar with this fix that you are put- 
ting in for ObamaCare, you are diverting people that understand 
the software to train people, additional people to come in and fix 
the problem? 

Mr. Chao. Yes, I think that is what is happening now. 
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Mr. Bentivolio. You think. Okay. I am going to list three. Pro- 
gram officials, three of the nine best practices essential to IT, 
which you did not implement. Program officials were actively en- 
gaged with stakeholders, ObamaCare rollout apparently lacked 
senior oversight for most senior technology officials, including Fed- 
eral CIO, Federal CTO and HHS CIO. 

Mr. Powner, what should take from this report? 

Mr. Powner. Clearly, those are best practices. What we did, that 
was a report that we did, we always report on failures. So we actu- 
ally went to ten agencies and we asked them for a success story. 
So there are seven successful acquisitions in there and we asked 
why they were successful. None of that is a surprise. It is defining 
your projects right up front, putting the right people in charge, 
good communications with contractors and managing best practices 
throughout the life cycle. 

So it is something everyone at this table knows needs to be done 
on successful acquisitions. Mr. Chairman, I think FITAR and 
where we look at the acquisition process, and the whole bit, that 
is fine, that is going to be very helpful. But a lot of this just gets 
down to solid governance and good management and the right at- 
tention on these projects. That is what those practices really high- 
light. 

Mr. Bentivolio. Thank you. Mr. Chairman, I would like to yield 
the rest of my time to Mr. Meadows. Thank you. 

Chairman ISSA. The gentleman is recognized. 

Mr. Meadows. I thank the gentleman from Michigan. And I have 
a question. I have been running the numbers, and my under- 
standing is, we are creating this site to create a system that is 
available for 17,000 users per hour, is that correct? 

Mr. Chao. The way it was described is that the first part of the 
process is, you have to register for an account. That current capac- 
ity is running at 17,000 registrations per hour. 

Mr. Meadows. So what are we building the system to be able to 
handle in terms of capacity, 17,000 or higher than that? 

Mr. Chao. It is approximately 48,000 to 58,000 users in the sys- 
tem. By that I mean you could be on the learn side just looking 
at static web pages to actually actively filling out an application. 

Mr. Meadows. What is the smallest end of the conduit? What 
truly is it, 17,000, 25,000 or 43,000? What is our smallest ability 
in terms of volume to handle in terms of capacity? 

Mr. Chao. I think right now there is about, on average, some- 
where between 22,000 to 25,000. 

Mr. Meadows. So that is what we are building the capacity to, 
25,000? 

Mr. Chao. Per hour it is sitting right around that. 

Mr. Meadows. And that is what we are building it to, that is the 
specs? 

Mr. Chao. Actually a little exceeding that. For example, the front 
part, identity management part, we are going to apply some im- 
provement that is going to go to 30,000 registrations per hour. 

Mr. Meadows. Let me tell you the reason why I ask. I have done 
the numbers. If you take the number of uninsured Americans that 
are out there, and if they got on the system today, 24 hours a day, 
which we know doesn’t happen, it would be 43,000 people an hour. 
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So we are building a system that won’t even take care of the unin- 
sured people that we have right now. So how are we going to be 
successful? 

Mr. Chao. I would like to look at your calculations. 

Mr. Meadows. It is 50 million people, you can do it over the next 
48 days. 

Mr. Chao. I don’t think the estimates were there. 

Mr. Meadows. I know the estimates weren’t there. But if you do 
the math, that is what works. I yield back. 

Chairman Issa. I thank the gentleman, and I am sorry that you 
have to look at his figures, that in fact the burn rate necessary to 
get done wasn’t understood from day one, and the surge require- 
ment at 4:30 in the afternoon or 5:30 in the afternoon Pacific Time 
wasn’t in fact what you were looking at. I know Mr. VanRoekel 
would understand that you need two or three or four times the 
highest capacity to deal with when people actually are going to log 
on and try to do it. 

Mrs. Lummis is recognized. 

Mrs. Lummis. Thank you, Mr. Chairman. 

Mr. Chao, you said that NIST defines high risk as a vulnerability 
that could be expected to have a severe or catastrophic adverse ef- 
fect on individuals or organizational operations or assets. I want to 
focus on the part about the severe or catastrophic adverse effect on 
individuals. 

Is it true that there were two high risks that continue to be 
found related to the marketplace information systems that you 
weren’t told about at the time? 

Mr. Chao. I think you are referring to the September 3rd author- 
ization to operate. 

Mrs. Lummis. I am. 

Mr. Chao. Those two findings were, I think earlier in the hear- 
ing today, we clarified that that was dealing with two components 
of the marketplace systems that deal with plans submitting dental 
and health plan information, qualified health plan, and didn’t in- 
volve any personally identifiable information. 

Mrs. Lummis. The memo I have is redacted. So it doesn’t, I don’t 
have the information that you just testified to because of the 
redactions in the memo. So maybe that is correct, maybe it is not. 
Are you testifying that that is absolutely what it is about? 

Mr. Chao. Yes, because I saw an unredacted version that was 
handed by committee staffers to me last week. And if it has been 
redacted, it has been redacted by someone else. 

Mrs. Lummis. Did one of the risks outlined in this memo pertain 
to the protection of financial or privacy data? 

Mr. Chao. I don’t have it right in front of me. I think there was 
an appendix section. But I don’t recall seeing that. 

Mrs. Lummis. So you don’t know whether financial and privacy 
data were outlined as a risk in this memo? 

Mr. Chao. I don’t believe so, because it dealt with our plan man- 
agement or our qualified health plan submission module, which are 
data that is submitted by issuers and dental providers. 

Mrs. Lummis. Is it true that the internal memo, this memo, out- 
lined one of these risks as the threat and risk potential are limit- 
less? 
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Mr. Chao. No. I think it is referring to a very specific type of risk 
when you allow an upload of a file that has an internal macro that 
runs. But it is not about people. This is not personally identifiable 
information. 

Mrs. Lummis. What is it about? 

Mr. Chao. It is plans submitting their network adequacy. It is 
basically worksheets that contain information about the benefit 
data that each issuer submits. 

Mrs. Lummis. Okay. I am going to switch gears. Mr. Chao, did 
you brief White House officials prior to October 1st about the sta- 
tus of the website? 

Mr. Chao. No, not directly about the website. 

Mrs. Lummis. Who did? 

Mr. Chao. I don’t know. 

Mrs. Lummis. Mr. Baitman, did you? 

Mr. Baitman. I did not. 

Mrs. Lummis. Mr. VanRoekel, did you? 

Mr. VanRoekel. Not only do I not know that that happened, I 
don’t know and I did not. 

Mrs. Lummis. When Mr. Jordan asked you some questions, one 
of the things that he asked you was about your involvement in 
meetings. He was specifically referencing Ms., I am looking for the 
name. Well, let me just ask you this. Were any of the meetings you 
attended at the White House? 

Mr. VanRoekel. It depends how you describe the White House. 

Chairman Issa. The White House includes Treasury, the Old Ex- 
ecutive Office Building, the New Executive Office Building, and the 
White House proper at a minimum. 

Mr. VanRoekel. I didn’t know if you were talking about physical 
or organizational. 

Chairman Issa. Organizational. 

Mr. VanRoekel. I work in an agency that is part of the Execu- 
tive Office of the President. So every meeting I have is considered 
sort of part of that organization. 

Mrs. Lummis. And was Ms. Lambrew present? 

Mr. VanRoekel. As I mentioned in my answer to Mr. Jordan, in 
one to two meetings, yes. 

Mrs. Lummis. And what were those meetings about? 

Mr. VanRoekel. Those particular meetings were dealing with, 
they were asking actually, my private sector advice on demand 
generation and marketing to young people, how to use social media 
to reach out to uninsured Americans. 

Mrs. Lummis. So who was briefing the White House about the 
status of the website? No one? Did no one brief the White House 
about the status of the website before October 1st? Mr. Chao? 

Mr. Chao. Not me personally, but our administrator, Marilyn 
Tavenner, certainly is representing the agency. So you might want 
to ask her. 

Mrs. Lummis. So we don’t know whether the status of the Fed- 
eral exchange and the data, how they were ever a focus of meetings 
between White House and HHS personnel before October 1st? 

Mr. Chao. I think what I said earlier, that in the meetings I at- 
tended, I provided status briefings on the progress of certain IT 
builds like the data services Hub. 
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Mrs. Lummis. And your reports on the status of the builds set 
off alarm bells with them? 

Mr. Chao. No, because the data services Hub was actually per- 
forming well and on time. And it received its authority to operate 
in August. 

Mrs. Lummis. Okay. So what happened between August and Oc- 
tober 1st? 

Mr. Chao. I didn’t attend any White House meetings. 

Mrs. Lummis. What happened with the performance of the Hub? 

Mr. Chao. The Hub is doing fine. It is doing what it is intended 
to do. 

Mrs. Lummis. Mr. Chairman, I yield back. 

Chairman Issa. I thank the gentlelady. 

I will be brief. Mr. Chao, the EIDM, or what I call the front door, 
is what didn’t perform well, isn’t that true? 

Mr. Chao. Correct. 

Chairman Issa. And since the system was designed so that you 
had to go through the front door to get anything else, it doesn’t 
really matter if you had 60,000, 600,000 or 60 million capability, 
if the American people had to go through that front door and only 
six got to the end, we can presume that the number that existed 
just prior to launch of 1,100 in that so-called minimized test, or as 
you said, it was only one-tenth the amount, really wasn’t true. The 
truth is that when people got time outs as they tried to register, 
as they tried to go through the EIDM, the marketplace Hub, one 
that you forced them through by in September determining that 
they could not look at a splash page to get a price idea if nothing 
else was available. 

That front door being blocked is essentially the reason that the 
American people have wasted, for the most part, a month trying to 
get registered, isn’t that true? 

Mr. Chao. No, it is not true. 

Chairman Issa. Yes, well, it is. 

Mr. Baitman, where were you, since you and Mr. VanRoekel are 
critically part of this process? Where were you, and Mr. Park was 
brought in afterwards, where were you in the months and years 
leading up to this? Why is it that you were not aware that on day 
one, this product was going to fail to launch in any legitimate, ac- 
ceptable way? 

Mr. Baitman. As I indicated in my opening testimony, HHS is 
a federated agency. 

Chairman Issa. Okay, not your job, this is an orphan. 

Mr. VanRoekel, you came out of the private sector. Bill Gates 
and Steve Baumer and a lot of other people at Microsoft would 
have had somebody’s neck hung, maybe not literally and maybe not 
fired them, but they would want to know, demand to know, Steve 
Jobs, when he was alive over at Apple or NEXT and the other pro- 
grams, they would have said, who the blank is responsible for this 
failure? Can you tell me today whose job it was to make sure that 
we didn’t have this dreadful failure to launch that didn’t call the 
one person that should have known and didn’t do their job? One 
person? Who was that person? 

Mr. VanRoekel. As I said earlier, I wasn’t close to the actual de- 
velopment. I am not in a position to make that call. 
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Chairman ISSA. Okay, so I had you and Mr. Park, Mr. Baitman, 
Mr. Chao, we will leave the GAO out of it, because we are probably 
going to ask them and others to help us find out. But none of you 
today can tell us who failed to do their job. And as a result, the 
American people lost a month of any effective, real ability to sign 
up. This website was dead at launch for all practical purposes. 

And I am sorry, Mr. Chao, you can give me all the numbers you 
want, six on the first day, 240 on the second day, when millions 
of Americans were trying to make this work. We may disagree on 
ObamaCare, but we don’t disagree that that was unacceptable. You 
heard it on both sides of the aisle. 

Mr. VanRoekel, I think you fail to understand, you and Mr. 
Baitman and all of you in the Administration who were allowed to 
go to those meetings, Mr. Powner would tell you that best practices 
should be a lot more like it is at Toyota Company or Honda. In the 
production line, one person who sees a bad car coming down is al- 
lowed to stop the production line. In this case, a really defective, 
something that would make the Edsel look like a success story, 
launched on October 1st and nobody said, here today or for that 
matter since I have been listening to the various hearings, nobody 
said, I should have pulled the stop button. 

Mr. Chao, you refused to answer give a grade. Mr. Baitman, you 
refused to answer give a grade. Mr. VanRoekel, you refused to an- 
swer to give it a grade. Well, I am going to give it a grade. This 
was an F. Or on a pass-fail, this was a fail. Every one of you should 
have been close enough to know there was something wrong, to ask 
somebody in one of those many meetings, are we sure this is going 
to work. And at least get an assurance from somebody that it 
would. 

Mr. Powner, I want to thank you for being here today. Although 
many people have talked about FITAR and what we need to do in 
legislation, you are the only person here that represents an organi- 
zation that has said, there is a right way to do it, we have looked 
at agencies at the Federal Government who have done it right, and 
like you, we normally look at the agencies that fail. We look at the 
program out of Wright -Pat that failed and lost us a billion dollars. 
We are looking at failure that cost the American people millions of 
their hours, frustrated, trying to get online to check whether or not 
health care is going to be more affordable for them. 

So I look forward to all of you being part of the process of best 
practices in your job going forward. But I look also with all of you 
realizing without legislative change, we will be back here again, 
with everybody saying, I didn’t fail to do my job, even when a prod- 
uct failed to launch. 

And with that, you are dismissed. We will set up the next panel 
for after the vote. 

[Recess.] 

Chairman Issa. Now for our second panel we have Richard 
Spires, Former Chief Information Officer at the Department of 
Homeland Security. And Ms. Karen Evans is the former Adminis- 
trator of the Office of Electronic Government and Information 
Technology at the Office of Management and Budget. 

Pursuant to the rules, all witnesses will be sworn. Would you 
please rise, raise your right hand to take the oath. 
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Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth and nothing but 
the truth? 

[Witnesses respond in the affirmative.] 

Chairman Issa. Please be seated. 

Let the record reflect that both witnesses answered in the affirm- 
ative. 

In order to save time, we ask that the entire opening statements 
of both witnesses be placed into the record. Without objection, so 
moved. 

We now will allow you to abbreviate, since your entire opening 
statement is in the record. Try to stay within the five minutes. 

Ms. Evans? 


STATEMENT OF KAREN EVANS 

Ms. Evans. Good morning, Chairman Issa, Ranking Member 
Cummings and members of the committee. I am pleased to be in- 
vited back to share my views of ObamaCare implementation, the 
rollout of Healthcare.gov. 

From an IT implementation standpoint, Healthcare.gov was a 
classic IT project failure that happens in the Federal Government 
too frequently. As the executive leadership at the Federal Depart- 
ments and agencies, the President’s political appointees are at the 
top of the management chain for Federal employees and contrac- 
tors. In looking for the cause of this failure, some point to the lack 
of testing. Others, including the President, cite the challenges of 
the IT procurement process. And still others note the complexity of 
the program and the interfaces with private insurance company 
systems. 

However, the cause of this failure was not the complexity of the 
program nor the procurement process nor the testing. The 
functionality and the shortcomings of Healthcare.gov are a result 
of bad management decisions made by policy officials within the 
Administration. They did this to themselves. And if they are now 
surprised, it is because their own policy officials failed to inform 
them of the decisions they have made and the consequences associ- 
ated with those decisions. 

As soon as this legislation was passed, there were policy deci- 
sions which needed to be made. These policy decisions would drive 
the technical design of healthcare.gov IT systems. They fundamen- 
tally determined the workflow and business processes driving how 
the law would be implemented. 

I have been on both sides of policy implementation, as a career 
civil servant and as a political appointee. The problems with 
Healthcare.gov are symptomatic of a recurring problem. Passing a 
law or issuing a policy is not enough. If there is a new law, man- 
agement reform or policy initiative you want to accomplish, then 
you as a policy official need to be engaged during the implementa- 
tion to assure there is an appropriate, integrated project team in 
place to manage the day to day operations. 

All levels of the organization need to be willing to get into the 
weeds to understand these intricate aspects of management and 
implementation. Because the devil is in the details. Someone can 
change a seemingly innocuous requirement in a meeting and cause 
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a huge impact on schedule, cost or functionality. IT projects are 
particularly good at highlighting management failings, because 
they require coordination between the many different parts of an 
organization. If the agency’s CIO is not actively at the management 
table, participating in those decision, and more importantly, ex- 
plaining the ramifications of the policy decisions they are making, 
the projects get off track and ultimately fail. 

The chief information officer is the person in the C suite who has 
the capacity to translate technology issues into business-speak for 
other business leaders. When a technical implementation specifica- 
tion hinges on a policy decision, the technical team depends upon 
the CIO to elevate the question to the appropriate decision maker. 
Because the CIO can speak to senior executive in terms that are 
relevant to them and can state potential consequence in terms of 
political and policy values, the CIO is in a unique position to en- 
sure that policy officials do not regard those decisions as staff level 
functions. And if these potential consequences are significant, then 
departmental and White House officials may need to be briefed by 
the CIOs. 

In the wake of the Healthcare.gov implementation failure, some 
analysts have asserted that the private sector could have done this 
better, thereby implying that there are some conditions inherent in 
Federal IT which impede success and impair Federal CIOs. It is 
certainly true that Federal CIOs are burdened by deliberative re- 
straints placed upon them by Congress and OMB. But Federal 
CIOs also enjoy freedom from competition and the whims of the 
market. 

Overall, Federal CIOs and commercial CIOs are more similar 
than different. We all have the same job description: to be the tech- 
nical, savvy member of the executive team, to provide value 
through innovation, to manage data as a strategic asset, and to 
lead a large team of technologists and inspire them to achieve 
greatness. Whether a CIO is at a large or small organization, bu- 
reau level or department, public sector or private, the scale may 
differ, but the management challenges are the same. 

I have included in my written statement some key questions 
which every CIO should be asking; but more importantly, the CIO 
should be able to answer these questions for their leadership in 
clear business terms. Thank you for the opportunity to testify 
today, and I look forward to answering any questions. 

[Prepared statement of Ms. Evans follows:] 
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Good morning Chairman Issa, Ranking Member Cummings, and Members of the Committee. I am 
pleased to be invited back to share my views on “ObamaCare Implementation: The Rollout of 
HealthCare.gov” My remarks today will discuss best practices for major Information Technology (IT) 
systems implementation, how policy decisions drive the technical specifications for IT systems, and 
the role of the CIO in elevating these decisions to policy officials. 

Typical IT Major Project Failure 

From an IT implementation standpoint, Healthcare.gov was a classic IT project failure that happens 
in the Federal Government too frequently. As the executive leadership of Federal departments and 
agencies, the President's political appointees are at the top of the management chain for Federal 
employees and contractors. In looking for the cause of this failure, some point to the lack of 
testing. Others, including the President, cite the challenges of the IT procurement process. And 
still others note the complexity of the program and the interfaces with private insurance company 
systems. However, the cause of this failure was not the complexity of the program, nor the 
procurement process, nor the testing. The functionality and shortcomings of Healthcare.gov are 
the result of bad management decisions made by policy officials within the Administration; they did 
this to themselves. And if they are now surprised, it is because their own policy officials failed to 
inform them of the decisions they had made and the consequences associated with those decisions. 

Policy Decisions Needed 

As soon as this legislation was passed, there were policy decisions which needed to be made. These 
policy decisions would drive the technical design of the Healthcare.gov IT system; they 
fundamentally determined the work flow and business processes driving how the law would be 
implemented. 

I've been on both sides of policy implementation - as a career civil servant and as a political 
appointee. The problems with Healthcare.gov are symptomatic of a recurring problem: Passing a 
law or issuing a policy is not enough, if there is a new law, management reform, or policy initiative 
you want to accomplish, then you, as the policy official, need to be engaged during the 
implementation to assure there is an appropriate integrated project team in place to manage the 
day-to-day operations. All levels of the organization need to be willing to get “in-the-weeds,” to 
understand these intricate aspects of management and implementation, because the devil is in the 
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details; someone can change a seemingly innocuous requirement in a meeting and cause a huge 
impact on schedule, cost, or functionality. IT projects are particularly good at highlighting 
management failings because they require coordination between many different parts of an 
organization. If the agency CIO is not actively at the management table, participating in those 
decisions and, more importantly, explaining the ramifications of the policy decisions they are 
making, then projects get ofHrack and ultimately fail. 

For example, one policy decision that is causing problems with Healthcare.gov was whether the 
system had to verily the identity of an individual before allowing the user to browse the 
marketplace. That is a policy decision, not a technical decision. Technology can actually do 
whatever is required. The policy decision that drove the technical implementation created a 
bottleneck at the front end, I do not want to speculate on why this identity verification option was 
selected. But the generally accepted procedure and best practice for decisions on implementation 
requirements is to list each possible viable option along with the advantages and disadvantages of 
each. 

Another policy decision was the requirement to directly interface with insurance provider systems 
and with other government systems at IRS and SSA. Again, these were not technology questions; 
the technology exists. And these were not statutory requirements; the law did not say, “the system 
shall interface to system X at the IRS." These implementation requirements were driven by policy 
decisions and arbitrary interpretations of the law. Such questions must be answered by policy 
officials because they require value judgments and cost-benefit trade-offs. For example, “Does the 
IRS have to verify the identity of people, or can a private insurance agency do that?” You’re seeing 
this play out now with the issues of determining eligibility for subsidies and concerns about improper 
payments. Unlike the regulatory process, the functional specifications driven by these policy 
decisions are not necessarily subject to the public notice and comment rulemaking process. These 
are huge management and implementation issues that need to be reviewed from both a political and 
policy perspective. 

A former CMS senior executive, when the management failures came to light, said in a recent 
interview that he did not see the launch of Healthcare.gov as a major part of his job. Rather, he 
said, “Those were staff level functions,” 1 while he focused on more important policy issues. 
However, these implementation management questions were driving massive requirements for 
system implementation, and that was going to impact the timeline of the system launch. For any 
political appointee, the IT system implementing a major Presidential policy initiative must be highest 
priority, and this must be communicated to their entire team. 

Elevate Policy Questions 

The Chief Information Officer (CIO) is the person in the C-Suite who should have the capacity to 
translate technology issues into business-speak for the other business leaders. When a technical 
implementation specification hinges on a policy decision, the technical team depends upon the CIO 
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to elevate the question to the appropriate decision maker. Because the CIO can speak to senior 
executives in terms that are relevant to them, and can state potential consequences in terms of 
political and policy values (e.g. public opinion, unfavorable news stories), the CIO is in the unique 
position to ensure that policy officials do not regard these decisions as “staff level functions.” And 
if these potential consequences are significant, then Departmental and White House officials may 
need to be briefed by their CIOs. 

For example, during my tenure as the OMB E-Gov Administrator, the FBI Virtual Case File (now 
knows as Sentinel) program faltered. In my management oversight role, I began meeting weekly with 
the Department CIO, the Bureau CIO, the program management staff, and the contractors - all in 
the same room - so that I could understand the project and raise policy issues to White House 
senior officials as necessary. This “integrated project team” or “1PT” developed an agreed upon 
project plan to correct the deficiencies and move forward. 

Focus Management Attention 

In addition to elevating policy decisions to White House officials, the E-Government Act 2 3 directs 
the Administrator to help improve the management of IT in the agencies. During my tenure, I 
published a quarterly list of projects that warranted extra management attention. The Management 
Watch List included projects which were either not well planned or not being well managed and 
projects which exhibited unusual risks because of their size or complexity. By distilling volumes of 
data down to a simple list, agency senior executives, who might not have expertise in IT 
management tools (e.g. earned value management), would readily know the status of projects in 
their agency, and could call me if they had questions. And I was able to flag suspicious or obviously 
incorrect data for further investigation of those projects. 

Pressure to Succeed 

Recent news stories indicate that a CMS official signed the authorization for Healthcare.gov to “go 
live” without the system having undergone adequate testing. While this may have satisfied the 
statutory requirements of FiSMA 3 , it certainly circumvents the intent of the law. Here again, the 
CIO is in a unique position to ensure that senior executives understand the decisions they’re being 
asked to make, and the implications of each option available to them. 

Establish a Go/No-Go Milestone Date 

Some have cited the tremendous pressure of public expectations as compelling administration 
officials into the decision to “go live.” But again, this was a situation of their own making. Any 
high profile project should establish a go/no-go milestone, and stick to it. A go/no-go milestone is 
simply a date by which the project must have completed a specific, measurable amount of progress 
in order for the entire project to be completed by the due date. Thus, you know that if you haven’t 
met the milestone by the date, you’re not going to make it. In this case, having a go/no-go date 
for Healthcare.gov, perhaps a year before the go-live date, would have allowed the President and 


2 E-Government 

Act of 2002, PL107-347 

3 Federal Information Security Management Act of 2002, Title III of PL107-347 
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his advisors to manage public expectations, to develop a fallback plan and provide the remediation 
plan to address the known deficiencies. 

For example, when we were initially implementing Homeland Security Presidential Directive-12, 
(HSPD-12), the President’s directive requiring uniform employee identification cards at all agencies, 
we had publicized the planned completion date. But when we reached our go/no-go date, we had 
failed to complete the key milestone, so we knew were not going to meet the announced completion 
date. Because of that, I was able to notify senior policy officials well in advance of the announced 
completion date. This allowed us to formulate a corrective action plan with each department and 
agency, and to develop a communications plan to temper the expectations of the public and the 
press; instead of crashing on the runway, we got on the PA system and told everyone we were going 
to circle around for another landing attempt. 

The Role of the CIO 

In the wake of the Healthcare.gov implementation failure, some analysts have asserted that the 
private sector could have done this better, thereby implying that there is some condition inherent in 
Federal IT which impedes success and impairs Federal CIOs. It is certainly true that Federal CIOs 
are burdened by the deliberate restraints placed upon them by the Congress and OMB. But 
Federal CIOs also enjoy freedom from competition and the whims of the market. Overall, Federal 
CIOs and Commercial CIOs are more similar than different. And we have the same job description: 
to be the technology-sawy member of the executive management team, to provide value through 
innovation, to manage data as a strategic asset, and to lead a large team of technologists and inspire 
them to achieve greatness. Whether a CIO is at a large organization or small, bureau level or 
department level, public sector or private; the scale may differ, but the management challenges are 
the same. Attachment A includes some key questions which every CIO should be asking but more 
importantly the CIO should be able to answer these questions for their leadership in clear business 
terms. 

Thank you for this opportunity to testify today. I look forward to answering the Committee’s 
questions. 
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Attachment A - IT Management Checklists 

Vetting potential new investments - Does the project sponsor have a clear vision of what he/ she is 
trying to accomplish and how the IT system will support the new product or service? CIOs should 
evaluate the sponsor’s answers to these questions: 

For this program/project: 

V What will be different? 

V What problem are you solving? 

V When do you need to be complete? 

V How will you measure success? 

V What does it cost? 

V Are you being realistic? 

Six Keys to Success - These six attributes reflect lessons-leamed from numerous IT projects in 
both government and private industry. While these elements do not guarantee success, the absence 
of any one of them almost certainly will guarantee failure. 

V Strong Executive Leadership; 

V Well-Defined Governance Models; 

V Alignment with budget process; 

V Clearly Defined Outcomes and Performance Measures; 

V Accountability and Transparency; and 

V Stakeholder Outreach. 
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Chairman Issa. Thank you. 

Mr. Spires? 

STATEMENT OF RICHARD A. SPIRES 

Mr. Spires. Chairman Issa, Ranking Member Cummings and 
members of the Committee, thank you for the opportunity to testify 
on issues with Healthcare.gov and more generally on IT manage- 
ment issues in the Federal Government. 

With more than 30 years of experience working on delivery of 
large IT programs, I speak from real world experience regarding 
what is required to successfully deliver such programs. I served in 
the past two Administrations and saw similar IT management 
issues in both. So my remarks focus on highlighting systemic weak- 
nesses in our ability to effectively manage IT, along with some rec- 
ommended solutions. 

My written testimony outlines five key elements required to ef- 
fectively deliver an IT program. In regard to the rollout of 
Healthcare.gov, my information was obtained from previous Con- 
gressional hearings and media articles. It is clear that there were 
fundamental weaknesses in the program management processes. 
For a system as complex as Healthcare.gov, best practice would 
have led to a plan that included completion and testing of all sub- 
systems six months prior to public launch, three months of end to 
end functional integration testing, and a subsequent three month 
pilot phase in which selected groups of users identified problems 
not caught in testing. 

It was reported that the program did not start and end func- 
tional testing until two weeks prior to launch and there was no for- 
mal pilot program prior to roll-out. This is evidence of a lack of ma- 
ture program management processes. Second, there was a lack of 
program governance model that recognizes the proper roles and au- 
thorities of the important stakeholders, to include the business, IT, 
procurement, privacy, et cetera. For IT programs, the business or- 
ganization or mission organization must be intimately involved in 
helping define requirements, making hard functionality trade-offs 
and being a champion for the program. The IT organization must 
ensure there is a capable program management office using man- 
agement best practices to deliver large IT programs. 

Evidence of launch of Healthcare.gov shows the balance between 
the business and IT organizations was not correct. For example, 
changes were being finalized up to a few weeks before launch. This 
is much too late. Requirements should have been locked down 
months before. The business organization had the ability to make 
changes that led to bad management practice. 

The issues of the rollout of Healthcare.gov are emblematic of the 
IT management challenges in the Federal Government, yet improv- 
ing our ability to effectively manage our IT is critical. Our govern- 
ment, if it more effectively manages IT, can harness its trans- 
formational capability, significantly improving government’s effec- 
tiveness and efficiency. I recommend that three actions be taken to 
improve Federal Government IT. 

First, it is important that Congress pass legislation to update 
how this government manages IT. I appreciate the leadership of 
Chairman Issa and Representative Connolly in co-sponsoring the 
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FITAR legislation. While legislation alone will not fix all the issue 
with IT management, it will elevate the standing of agency CIOs 
and put in place mechanisms for development of centers of excel- 
lence to leverage best practices and program management and ac- 
quisition across the Federal Government. These changes could have 
helped to address the critical failings of the program management 
of Helathcare.gov. 

Second, agency CIOs need to have control over implementation, 
operations and the budget of all commodity in their agency, which 
includes the data centers, cloud services, servers, networks, stand- 
ard collaboration tools like email as well as back office administra- 
tive systems. 

A couple of years ago, I was fortunate to be in a session that in- 
cluded a number of CIOs for Fortune 50 companies. In the course 
of discussion, it became clear that one of the clear elements in ef- 
fectively leveraging IT for an enterprise is a modernization stand- 
ardization and appropriate consolidation of the underlying IT infra- 
structure. 

I urge that Congress address this recommendation through the 
IT reform legislation and the Administration to address this rec- 
ommendation through the portfolio stat process. 

Third, the current Administration should make IT management 
a centerpiece of its overall management reform agenda. This en- 
tails the recognition and focus at the most senior levels of govern- 
ment of the importance of IT and improving IT management. It in- 
cludes a serious commitment to improving program management 
practices, elevating the status of agency CIOs and ensuring the 
agency CIOs own the commodity IT. 

I hope the troubled launch of Healthcare.gov can serve as a cata- 
lyst to drive positive change in the way we manage IT. The best 
practices exist and are proven. We need leadership in Congress to 
pass reform legislation and leadership in the Administration to rec- 
ognize the importance of IT management. 

Thank you. 

[Prepared statement of Mr. Spires follows:] 
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The HealthCare.gov rollout: What should 
we learn? 


By Richard Spires 
Nov 04, 2013 



The troubled launch of HealthCare.gov pains me - as someone who has great passion for 
wanting to make government IT more effective, this public spectacle once again casts 
federal IT in a very negative light. As a federal IT community we appear unempowered, and 
worse, incompetent. 

My observations here are based solely on public information I have gleaned through the 
media and listening to the various congressional hearings. I was never close to the planning 
or development of the HealthCare.gov website and supporting back-end systems. In full 
disclosure, however, I did participate in one HealthCare.gov planning session a couple of 
years ago when I was Department of Homeland Security CIO. The session was to ensure 
various agencies (including DHS) identified the individuals to work with the Centers for 
Medicare and Medicaid Services on the required data-sharing to support the enrollment 
process. 
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CIO Perspectives is a new FCW feature by former Department of Homeland Security CIO 
Richard Spires. The column originally intended as Spires' debut will appear mid-November 
both online and in print; this reaction to the HealthCare.gov rollout serves as a web-only 
preview 

A significant part of my 30-year career has been devoted to IT program management and 
oversight. For a system as complex as HealthCare.gov, best practice would have led to a 
plan that included: 

1) Completion and testing of all subsystems six months prior to public launch. 

2) Three months of end-to-end functional integration testing. 

3) Concurrent performance testing that would have simulated loads up to 10 times greater 
than expected (especially since it was difficult to model expected peak loads). 

4) A subsequent three-month pilot phase in which selected groups of users were using the 
system to work off problems not caught in testing. 

While I do not know for certain, I would expect that CMS had original development plans that 
were close to best practice. Yet some of the contractors involved have admitted that there 
were only two weeks of end-to-end integration testing prior to launch. That means the 
American public is serving as the integration testers of this system - not a situation anyone 
would ever plan for or want. 

So what happened? There is pattern recognition for those of us who have been involved in 
many large IT programs. First, it is difficult to accurately plan the level of effort and time to 
develop new systems that are composed of complex and interdependent subsystems. 

Hence, there should have been schedule management reserve built in up-front, at least three 
months and perhaps as much as six months. 

Second, given that different contractors were responsible for different subsystems, there 
needed to be a strong and competent program management office (PMO) that oversaw the 
program and the integration of the subsystems into a coherent, functional system. The 
evidence suggests that the PMO was not nearly as effective as required. 

Third, the launch date of Oct. 1 was deemed immovable. As development schedules slipped, 
as integration challenges mounted, there were clearly compromises made so as not to delay 
the launch. I suspect little functionality could be deferred (the site must enable the full 
enrollment process), so what was compromised is good practice. It is simply bad practice to 
launch a complex system with very little end-to-end testing. There is no excuse for this, and 
given the complexity of systems CMS operates, there are clearly individuals in CMS who 
knew this launch would not go well because of inadequate testing. 

Finally, there is the biggest failure, and the one that dooms many IT projects: The correct 
roles and authorities were not assigned to the business and the IT organizations. (In this 
case the business organization would have included leaders from CMS, HHS and possibly 
the White House). 
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When I review an IT program, that role assignment and the authorities are one of the first 
things I look at to assess the health of that program. The evidence on the launch of 
HealthCare.gov shows clearly the balance was not correct. As reported by the media, a 
change in a requirement that disabled the ability for users to browse insurance policies 
without first enrolling was made just two weeks before launch. This was much too late - 
requirements should have been locked down months before then. The business organization 
had the ability to make changes that led to bad program management practice. 

In subsequent columns I plan to address a number of issues and recommendations 
regarding large IT program management. But for now, let's focus on how to address the 
proper partnership between the business and IT. 

There must be a program governance model in place that recognizes the proper roles and 
authorities of the business organization and the IT organization for there to be success. The 
business organization must be intimately involved in helping define requirements, making 
hard functionality trade-offs, and being a champion for the program with stakeholders both 
inside and outside the agency. The IT organization must establish a solid PMO with 
appropriate use of best practices to deliver large IT programs. And there needs to be a 
regular forum in which the business organization and IT organization executives work 
together to help the PMO make the tough decisions in running a program. 

A fundamental tenet, however, is that sound program management practice must always be 
followed. There are no shortcuts to delivering large, complex IT programs. Having been 
intimately involved in dozens of such programs, I can state with absolute certainty that 
executing with anything less than solid program management practice is very high risk and 
leads to failures. The administration would be well served to incorporate the proper 
governance model for all large, complex IT programs. 

One last point: The team of government personnel and contractors correcting 
HealthCare.gov must be working tremendously long hours and are under tremendous 
pressure. I thank them for their efforts. 

About the Author 

Richard A. Spires has been in the IT field for more than 30 years, with eight years in federal 
government service. He served as the lead for the Business Systems Modernization program 
at the IRS, then served as CIO and finally as deputy commissioner for operations support. 
Most recently he served as the CIO for the Department of Homeland Security. 
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Chairman ISSA. Thank you both. 

First of all, I would ask unanimous consent that the article enti- 
tled The Healthcare.gov Rollout: What Should We Learn?, which 
Mr. Spires authored on November 4th, 2013, be placed into the 
record. Without objection, so ordered. 

Chairman Issa. I am going to start with you, Mr. Spires. You 
heard the first panel. From your experience, and I will go to Ms. 
Evans also, did I have the right people for the most part here, leav- 
ing GAO out for a moment, to ask who is responsible, why was this 
thing launched practically non-working, completely, only six suc- 
cessful registrations the first day? Did I have the right people? 

Or did I have the wrong people and that is why they all said it 
wasn’t their job? 

Mr. Spires. You had the right technical people at the table. I be- 
lieve in a balanced program where you have technology leaders as 
well as the business leaders working together. 

Chairman Issa. But somebody at that table should have been 
able to tell us basically who should have stopped this program or 
recognized that it was going to fail to launch? 

Mr. Spires. Somebody at that table I think should have been 
able to tell you that. 

Chairman Issa. Ms. Evans, in your time at OMB, I think more 
than anything else, is it your experience that the Office of Manage- 
ment and Budget ultimately, the OMB director, who gets to meet 
with the President, who gets to say that key pieces of legislation, 
key implementations are or are not going correctly? Has that been 
your experience? 

Ms. Evans. And I will speak from my experience, and that is 
true. And so we viewed, during my tenure, that OMB had oversight 
into the Executive Branch of ensuring that the President’s prior- 
ities got implemented. 

Chairman Issa. I am going to ask you from one personal experi- 
ence. Have you been in the Oval, other than ceremonially, have you 
been the Oval for a meeting? 

Ms. Evans. Not exactly in the Oval Office, but they have staff 
offices outside. 

Chairman Issa. But you were in that area? 

Ms. Evans. Yes. 

Chairman Issa. So you were there, I assume, with the Director 
or somebody on some important briefing that was going on? 

Ms. Evans. Yes. 

Chairman Issa. And that is a regular part of White House life? 

Ms. Evans. If you are working on priorities that are important 
to the Administration, yes. And one would assume that if you are 
a staff person in the White House, all of us are working on prior- 
ities that are important to the President. Not going to meetings at 
that level are not necessarily a daily occurrence of the job. 

Chairman Issa. I realize that is a rare one. But we can all agree, 
I believe, I think the ranking member would join with me, that the 
signature piece of legislation of the President is the Affordable 
Care Act. Can you figure out for me or help me understand how 
people could serve the President so poorly that it appears he was 
never told that this was going to be a disastrous launch? 
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Ms. Evans. In my analysis from the public record, as well as 
watching the testimony that happened prior, I believe that if I 
were in that position that I would have elevated things through, 
because that is the President’s key legislation, it is his number one 
priority. And so that is what the Chief Information Officer is sup- 
posed to do. They are supposed to analyze, as I said in my testi- 
mony, analyze what potential decisions are being made and what 
is that impact on the President’s priorities to get done, from a polit- 
ical perspective, from a communications perspective, from an over- 
sight perspective of what the impact would be and how you would 
have to do a Congressional notification if you were changing things. 

That is what a CIO is supposed to do. That would have been ele- 
vated up so that the OMB director would have known what the im- 
pact was happening, so that the director could then talk to the 
President about potential opportunities. 

Chairman Issa. Now, Mr. VanRoekel was your successor, is that 
correct? 

Ms. Evans. Yes. 

Chairman ISSA. And yet he said that he was only the facilitator 
of these meetings. Did you do a lot of facilitation when you had his 
job? 

Ms. Evans. I would call it facilitation. I don’t know that the 
agencies that I was supposed to provide leadership and oversight 
to would necessarily call it facilitation. I would like to think that 
that is the nice way that we did it. 

Chairman Issa. You invited people to bring in groups? 

Ms. Evans. Yes. 

Chairman Issa. You brought them to the White House or accom- 
panying facilities? 

Ms. Evans. Yes. 

Chairman Issa. And at those meetings, you either were there 
personally or at least you introduced the meeting and monitored 
whether it was going the direction that you and your bosses want- 
ed it to go? 

Ms. Evans. I can speak to my own management style, which is 
a very hands-on approach. Because I really personally view that if 
it is my boss’s priority, number one priority to get something done, 
then it is my job to make sure that the leadership up the chain to 
him are fully informed of decisions that are being made. 

So I am a little hands-on as a manager. I came up through the 
ranks, through operations. So I have a tendency to do that. 

Chairman Issa. But you are not a micromanager? 

Ms. Evans. I would like to think I am not. But if it is something 
that is that important, I personally, especially for things that are 
important to the Administration at the time during my tenure, I 
would personally make sure that I knew the status of what was 
going on on those projects. 

Chairman Issa. Mr. Spires, I am not leaving you out completely. 
But I will ask both of you, in 184 weeks from the passage of the 
Affordable Care Act, until the failure to launch, can you conceive 
that any one, leaving GAO out, on that first panel, should not have 
seen that there were problems and had taken at least an active 
role in addressing those problems? 
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Mr. Spires. Proper governance is critical on programs like this. 
Because there are a lot of stakeholders involved. And you need to 
have good information and you need to do it on a very regular basis 
to make sure that these programs are going well. Individuals at 
this panel, other than Mr. Powner, certainly I think should have 
been in that chain of receiving that information, reviewing that, 
being part of reviews as part of a good governance model. That 
clearly did not exist. 

Chairman ISSA. And Ms. Evans, I will modify that as my close. 
Not only shouldn’t they have, but can you give us a little bit of a 
feel for what life would have been like if President Bush, who you 
worked for, had gotten blindsided by a failure of one of his hall- 
mark pieces of legislation, Medicare Part D, No Child Left Behind 
or something of a similar level? 

Ms. Evans. I was involved in Medicare Part D, just so that you 
know. And we could talk about that as well. If something like this 
happened during my tenure, I can only speak for what I would do. 
I would have offered my resignation before I got fired. 

Chairman ISSA. With that, I recognize the ranking member. And 
you never got fired, I want to make that clear. 

Ms. Evans. No. I did not get fired. I did the job for six years. 
But in this particular case, if my President had to go on TV and 
say some of the things that this current President has had to do 
in an area of my responsibility, I would have offered my resigna- 
tion. 

Chairman ISSA. Thank you. 

Mr. Cummings. What was your responsibility with regard to 
Medicare Part D? 

Ms. Evans. When the rollout came out, there were some specific 
issues related to information technology. I would say it is the same 
type of thing that is happening right now. An analysis had to be 
done about, could you actually fix it through information tech- 
nology, what were the issues. And it really was a timing issue with 
the legislation, which is the reason why I am making the point 
about when you pass a law, you have to know. 

So the way that that legislation was crafted, if a user signed up 
for the benefit at 11:59 p.m. on the 30th of the month or the 31st 
of the month, then they were eligible at 12:01 a.m. the next month 
for that benefit. There is no IT system the way that these systems 
work that you could get all that information populated through the 
system so you had to really analyze what was the work process and 
how the IT worked. 

So what we did was we provided options to the policy councils 
to say, if there really are additional funds available, what hap- 
pened was they had, similar to what the navigators are now, people 
to help sign up, and if you signed up people before the 15th of the 
month, then those people actually got paid within 30 days, the ones 
that were helping sign people up. If you signed up after the 15th 
of the month, then the people that were helping do this actually 
would get paid 45 to 60 days later. 

So the idea was, okay, if the technology solutions can only, there 
is a big badge process that happens the 15th of the month, you pro- 
vide the incentives up front, get everybody into the system between 
the 1st and the 15th, get them signed up so that all their data 
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shows up in the IT systems by the next month so that they are eli- 
gible. 

Mr. Cummings. But let me ask you this, were there IT problems 
back then? 

Ms. Evans. There are always IT problems. But what you have 
to do is analyze it from a business perspective and provide alter- 
natives to the policy leadership so that they can make informed 
policy decisions of how they are going to handle it. 

Mr. Cummings. Yes, because I specifically remember working 
with my constituents because they were having all kinds of prob- 
lems. 

Ms. Evans. Absolutely. 

Mr. Cummings. Let me ask you both this. If you have a situation 
here where for example, in the governors, more than half the gov- 
ernors decide not, for example, to do their own marketplace, would 
that have affected you in any way or should that have affected this 
project? I am just curious. From an IT standpoint. 

Mr. Spires. Well, sure it would, sir. From a volume standpoint, 
from the scope and scale of what you would need to create. 

Mr. Cummings. Would it make it a little harder? 

Mr. Spires. Yes. 

Mr. Cummings. A little more complicated? 

Mr. Spires. A little more complicated, yes, sir. 

Mr. Cummings. And so Mr. Spires, someone had suggested that 
one of the problems with the development of the Affordable Care 
website is that there was no single contractor overseeing the work 
of all the other contractors, that there was no lead system inte- 
grator. However, experience in the past Administrations with using 
contractors used to oversee other contractors has often resulted in 
failed programs and millions of wasted tax dollars, is that right? 

Mr. Spires. That is correct, and I have a close history with this 
at the IRS, if you would like me to comment on the topic. 

Mr. Cummings. Yes. 

Mr. Spires. When I came in in 2004 to run the business systems 
modernization program at the IRS, and it got moved to that 
outsourced kind of program management office where a contractor 
was serving as that systems integrator. And it was not working 
well. I am a huge believer that the government needs to stand up 
to build a strong program management office for these large scale, 
complex IT programs. You have to have solid, experienced govern- 
ment people in charge and running these programs. 

It doesn’t mean you can’t have contractor support. But I have 
found if you don’t do that, the dynamics don’t work. There are so 
many stakeholders involved that are government people you have 
to work with who are not part of the program, and in order to 
make that work effectively, you need to have strong government 
people on the ground that are running this program day in and day 
out. 

Mr. Cummings. So I didn’t see it in IT but I saw it when I was 
chairman of the Coast Guard Subcommittee, with Deepwater, 
where we were literally buying boats that didn’t float. 

Mr. Spires. Yes. 

Mr. Cummings. Literally. Some of them are sitting near my dis- 
trict right now. 
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And the contractor, the lead systems integrator, didn’t have that 
intertwined situation that you just talked about where the govern- 
ment people were doing their piece. And it just doesn’t work. 

I see my time is expired. Thank you. 

Chairman ISSA. I thank the gentleman. 

Mr. DeSantis? 

Mr. DeSantis. Thank you, Mr. Chairman. Thanks to the wit- 
nesses. 

Mr. Henry Chao, he told the committee when they interviewed 
him that he had not ever rolled out a program that had complete 
systems-wide end-to-end testing. I just wanted to get your take on 
that, to not have system-wide end-to-end testing. Is that a good 
practice? 

Mr. Spires. That is poor practice at best. I may make another 
comment about this, if I could. I was, as far as what I know, right 
around the timing, the testing clearly was not adequate to put this 
system into production. My experience has always been, and I have 
had to live this, where we have made these hard calls. It is better 
to delay, and it is better to delay for two reasons. One, you only 
get that one chance to make that first impression with a system. 
We clearly didn’t do it well here, did well, with the rollout of 
Healthcare.gov. 

But two, and even more importantly than that, once you put the 
system in production, you have to operate it and maintain it, deal 
with all the customer issues and all that. That in and of itself is 
a very large amount of work that takes energy from the team, rath- 
er than the team really getting to the point of fixing the system 
to the point where it is running well, then putting it into produc- 
tion. 

And I know for whatever reason this October 1st date was 
viewed as immovable. But I think that was a very big mistake 
made on the rollout of Healthcare.gov. 

Mr. DeSantis. I appreciate that. I was looking through some of 
the materials. In late September there was a memo that said that 
the ongoing development had posed a level of uncertainty that can 
be deemed as a high risk security threat. So when you see that, 
it seems to me that would be a big red light that this is not ready 
to go forward. Would you concur with that? 

Ms. Evans. Based on my experience, yes, sir, I would. That 
would be a risk that you would have to evaluate the October 1st 
deadline against, what kind of operating risk is there and can you 
mitigate that risk. It would have to be fully explained to the lead- 
ership involved, in this case the CMS director and probably farther 
up, about what could happen if we went forward with the imple- 
mentation and we haven’t fully tested all of these things. 

Mr. DeSantis. It is frustrating, because so much of this law, and 
we see it in the implementation, was based on representations to 
the American people that have now turned out not to be true, for 
example, if you like your plan you can keep it, if you like your doc- 
tor you can keep it, it will reduce the budget deficit, it will cover 
everybody. The most recent estimate is 10 years from now, you are 
still going to have 31 million people with no coverage. So this bill 
doesn’t even do that. 
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As I was looking through some of the testimony, some of these 
regs that the people needed in order to start implementing it were 
delayed on purpose, on political decision to get through the 2012 
election. So these folks were in a situation where they had to kind 
of create this website, but they actually weren’t giving as much 
time as they could have had the Administration been forthright 
about some of these things. But there was a desire to move this be- 
yond the 2012 election, so that the American people would not be 
able to fully evaluate the program. 

So what I have seen here today is that there was a decision by 
the Administration, a knowing decision, to launch a website that 
did not work and indeed, was not adequately tested for security. I 
think this is problematic just generally, no matter what you are 
doing from a government IT perspective. But this website is 
unique, because individual Americans, and we have millions of peo- 
ple now who are seeing their insurance plans canceled because of 
this law, it is not like that website is just out there for them. They 
are forced to get, under penalty of law, health coverage through 
that website if they are one of the unfortunate folks who are seeing 
their plans canceled. 

So we are in a situation where the government is going to tax 
them unless they procure insurance off this website that is not 
fully functioning and that has questions about its security. So it is 
very, very discouraging. I have a lot of constituents who are upset 
about this. 

So I just appreciate you guys coming. I think this is, in terms 
of a case study on how not to do something, I think people will look 
back on this. But I think one of the things was, there were political 
imperatives here and the politics trumped what would work and 
what would be best for the American people. I think that is unfor- 
tunate. I yield back the balance of my time. 

Chairman ISSA. I thank the gentleman. 

I would like to ask just a couple more questions, seeing no one 
else here. Both of you served the previous Administration. Did they 
ever tell you what the cost of not launching one of your projects 
was? In the private sector, it is like, we are going to have X 
amount of revenue every month, and if we don’t launch Windows 
XP, then we lose that much revenue? Did you ever have those dis- 
cussions as part of your daily work? 

Mr. Spires. We would, sir. The IRS had discussions about it. 

Chairman Issa. For example, the new audit thing. 

Mr. Spires. Yes. There were business models that were built for 
systems that would show the kind of return. And of course, at the 
IRS, you could actually measure it many times in dollars. So yes, 
we did have those kinds of discussions. 

Chairman Issa. How about you, Ms. Evans? 

Ms. Evans. We would have those discussions across the board on 
each and every agency’s performance. So when agencies turned in 
a business case to justify the investment, they also put in there the 
return or the cost benefit analysis. So if you delay the launch date, 
then it affects your ability to start getting some of the benefits. Be- 
cause the benefits in the government, when you measure them, is 
a little bit different than the bottom line in private industry. So it 
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is benefits to the taxpayer for the services that could be delayed 
with a delayed launch. 

Chairman Issa. In this case, that doesn’t happen to be true. This 
is like a private business, and I will show you here. I wish Mr. 
VanRoekel was still here. The estimate from CBO at the time of, 
well, they keep changing it, but in February of this year, the esti- 
mate was that penalties from uninsured individuals were going to 
total $52 billion over a decade, half a billion dollars a year. Al- 
though that number keeps shrinking of what they think they are 
going to get, similarly the penalties from employers, $150 billion 
over 10 years, more or less $100 million a month. 

So here is this website, and Mr. Cummings and I have heard the 
figure $600 million enough times that it echoes in our sleep. But 
the delay of ObamaCare from a standpoint of revenue, when the 
President had to delay the employer mandate, he was losing $100 
million a month of revenue. If he had had to delay the no I am 
sorry, I got my figure wrong. I will have to be careful on that part. 
Forty-five billion over 10 years is $4.5 billion a year. So it is about 
$250 million, well, the back in February it was $300 million a 
month would have been lost if he delayed the penalties on the un- 
insured individuals. But he had already delayed something that 
was three times larger. 

So the reason I am asking this s, Ms. Evans, if you were back 
at OMB and somebody had told you in timely fashion, we are in 
trouble on this website, and we need to delay this thing because 
our projections two months or three months out, it is not going to 
be ready, and you were looking at having to go to the President 
and say, we would like you to delay something that will delay rev- 
enue by $300 million a month, wouldn’t you have had a normal 
business decision of, well, can’t we spent $300 million more if that 
is what it takes to get this thing done on time? 

In a sense, again, I go back to what I said before Mr. Cummings 
was there, the President was so poorly served in that I assume, 
and Mr. Spires, your experience particularly would be helpful here, 
I assume that if six months earlier you said, in order to not lose 
$300 million a month of revenue, calculated revenue, we need to 
put more money into this, we wouldn’t be talking half a billion or 
a billion or $2 billion. We would be talking incrementally a rel- 
atively small amount of money to do a project necessary to get this 
thing locked in and tested in a timely fashion, wouldn’t we? 

Mr. Spires. If I could comment. I would even say this, I am not 
sure this was about money. I am not sure we would have had to 
add more people to this. 

Chairman Issa. I don’t think we would have. I just wanted to 
make the point that there was plenty of money at stake. 

Mr. Spires. Well, there might have been. But I go back to the 
point of the program management disciplines. Now, to that end, 
once you get close, once you are six months in, it is very, very hard 
to then change. You are not going to pick up a lot of time. 

But if this had been done correctly on the program management 
side, I suspect that the money was there. I don’t think that was 
a constraint on this particular program. 

Chairman Issa. Ms. Evans? 
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Ms. Evans. Given the scenario that you just outlined, the way 
that this would be presented during my tenure, the way we would 
present it is, these are tradeoffs, policy decisions that need to have 
tradeoffs. So you would analyze, this is the income that was going 
to come in, this is the method that we thought we were going to 
be able to do. But given where it is, here are the alternatives, and 
then here are the tradeoffs, so that you can either realize a portion 
of that or we can then recover it and then some if we go with this. 

So alternatives would have vetted through the policy process so 
that people could have looked at that and then said, okay, well, we 
can’t put so many people on it, there is a point of diminishing re- 
turn. There is only so many dollars and so many people that you 
can throw at an IT project in order to fix it. 

So then you would have alternatives in order to realize that in- 
come, so that you could move forward to reduce the deficit. That 
is part of the analysis that the Office of Management and Budget 
would lend to the policy process so that the decisions could be 
made by the appropriate policy officials. 

Chairman Issa. Let me just close with a question. If we went 
back three and a half years and upon the passage the regulations 
necessary to determine some of the specifics this offer would have 
to deal with had been done in a timely fashion, six months or so, 
then presented to industry and stakeholders and going through a 
process of, if you will, analyzing it from a standpoint of needs of 
those who would use it, then taking the outcome of that, producing 
a standard, a year, year and a half into this process, delivering 
that to the contractor and then monitoring the process of a fixed 
and final set of regulations relative to this new website and its 
work, is there any doubt in your mind that three and a half years 
was in any way, shape or form not enough time to start with the 
passage of the Affordable Care Act three and a half years ago and 
reach a well-tested, well-engineered, from a security, speed, 
scalability on the launch date of October 1st? 

In other words, was there anything inherently wrong with pick- 
ing October 1st that good practices over three and a half year 
wouldn’t have taken care of? 

Mr. Spires. I think with where they are at, it is a little hard to 
know how long it will take for this to really stabilize. But it will 
stabilize. So if you look at it from that perspective, sir, I am pretty 
sure that if this had been well-managed, and to your point, include 
the regulation process of that, that this site could have been deliv- 
ered and appropriate on October 1st and could have been well run- 
ning on that date. 

Ms. Evans. I would look at it, and I always look at things from 
my tenure at OMB. 

Chairman Issa. It was a long tenure. 

Ms. Evans. It was a long tenure. And also from an operational 
perspective coming up. But I would have looked at the law to un- 
derstand what were we really required to do by what time period. 
And really scoped the project to a point where it was very clear and 
understood what was going to be delivered. 

I think one of the major issues that you have here with the re- 
quirements that happen on every IT project is that they are scope 
creeped. So as people start working through it, they add on another 
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requirement and they add on another requirement. So the param- 
eters have to be drawn on something that is this complex, so that 
everyone would have a clear understanding of what is really going 
to launch on October 1st, if that is the President’s due date. And 
then stick to that and everything else becomes an add-on and a 
module. That is best business practice. And if it is critical, that you 
have to have it, then it has to be voted on through the good govern- 
ance process through a business process. 

That is the part that is still a little unclear in this overall process 
of what really was the scope, and what was expected to be deliv- 
ered on October 1st. 

Chairman Issa. Thank you. That is what we are going to con- 
tinue working on, regardless of the actual Affordable Care Act, the 
question of what went wrong and how do we prevent it in the fu- 
ture. 

Mr. Cummings? 

Mr. Cummings. Thank you very much. 

Ms. Evans, I was listening to you very carefully. You said that 
if you were in this situation where your boss had to go before the 
American people and do what President Obama did, and I am not 
trying to put words in your mouth, you said you probably would 
resign. Is that right? 

Ms. Evans. Yes. 

Mr. Cummings. There are two parts to this. One part is what 
happened in the past. The other part is where we go in the future. 
I think it is very important that we learn from the past. I believe 
that it can tell us a lot about mistakes we made, so that we don’t 
fall into those ditches again. 

This is where I want to go. I say to my staff, there are two things 
that I am most concerned about, effectiveness and efficiency. I tell 
them we have a limited amount of time on this earth, we have a 
limited amount of time to be in the positions that we are in, that 
it is our watch and we must do what we have to do for the Amer- 
ican people in an effective and efficient way. 

I guess my question is, suppose you are President Bush, say if 
he was in these circumstances. And he said, Evans, don’t quit. Fix 
it. What would you do? And do you believe it could be fixed in a 
reasonable amount of time? If at all? So you didn’t quit. 

Ms. Evans. I didn’t quit. 

Mr. Cummings. We wouldn’t let you quit. 

Ms. Evans. You wouldn’t let me quit because I had to fix my 
mistake. So at this point I would be down in the daily operations, 
I would have done an assessment to see what exactly could be fixed 
and then again, back to the scoping issue of what the President ac- 
tually said would be available and what is now required. Now, you 
have additional circumstances on here with the insurance compa- 
nies canceling policies, and you have this gap now here people ac- 
tually have to be able to sign up for services. So that would be ana- 
lyzed, and I would say, okay, here is where we are with the IT 
project, we need to put other kinds of compensating controls in 
place in order to be able to deal with the American public’s need 
to be able to sign up for insurance. 

And that would be then elevated through the policy chain. So 
things like going directly to insurance providers, putting up, as 
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Chairman Issa said, the whole list of what plans are available so 
that people could at least see the information and not necessarily 
sign up, all those alternatives would be laid out. And they would 
be viewed from a communications perspective, from a policy per- 
spective and from a political perspective to ensure that you could 
put the best service forward to meet that immediate need of that 
gap between the December 15th and the January 1st deadline. Be- 
cause that is the big critical piece that you are trying to get to right 
now. 

And how do you fix that and how do you meet that need for the 
American people. 

Mr. Cummings. Mr. Spires, did you have a response to my same 
question? 

Mr. Spires. Well, let me add on. 

Mr. Cummings. Yes, do you have something to add onto what she 
said? 

Mr. Spires. Let me just add that I applaud, and I want to thank 
the team that is working on this. We talked about Mr. Park and 
what he is doing, but my goodness, the whole team has to be work- 
ing around the clock. 

Mr. Cummings. Are you familiar with the team, other than Mr. 
Park? 

Mr. Spires. No. 

Mr. Cummings. Are you familiar with Mr. Park? 

Mr. Spires. Yes. 

Mr. Cummings. And what is your opinion of him and his com- 
petence? 

Mr. Spires. He is a very talented technologist, extremely tal- 
ented. 

Mr. Cummings. They tell me he is one of the best in the world. 

Mr. Spires. I think that is probably a fair assessment, sir. 

Mr. Cummings. All right. 

Mr. Spires. Let me add a couple things, though, about the end 
of November. I would like it to work, too. This is all, for me, about 
helping government make IT more effective. But this end of No- 
vember, there are two concerns I have. One is, it is just very dif- 
ficult when you are in this, when you do integration testing, and 
that is essentially what we are still doing, even though the system 
is alive, for a while you tend to find defects actually increase as you 
do more testing. And even as you work things off and fix things, 
you even get more. So I am worried about that. 

The other thing I am worried about, frankly, is when you do this 
integration testing, a lot of times you will uncover some significant 
architectural issues. You may not, but sometimes you do when you 
integrate these subsystems. You know where those architectural 
issues show themselves are in performance issues. 

So I am concerned that we are seeing, when they open it up and 
it doesn’t perform well from a scalability standpoint, and handling 
the volume, that is an indication of some potentially underlying 
technical issues from an architecture perspective. Those things may 
take longer to fix. 

This is just my experience in working these kinds of problems in 
the past. So when they say they are going to have it fixed by No- 



139 


vember, for the vast majority of users, I hope that is the case. I 
just have concerns that that may not turn out to be the case. 

Mr. Cummings. I think that Mr. Park answered that question 
several times. 

Mr. Spires. Yes. 

Mr. Cummings. And he talked about, and I think it is probably 
because of the things that you just talked about, he said that, I can 
almost repeat it, he said it so many times, that they have a goal 
and they are going to try to attain that goal. 

Mr. Spires. Yes, absolutely. 

Mr. Cummings. But you said something a few minute ago, you 
said that, and I am going to put words in your mouth, you said 
something to the effect that eventually they will get it together. 

Mr. Spires. Yes, they will. 

Mr. Cummings. And my last comment is this. I guess as the son 
of two former sharecroppers sitting in the Congress after one gen- 
eration, and a father who only had a second grade education, my 
father believed in a can-do attitude. Can-do. That is what this 
Country is all about. 

I guess when I hear all the naysayers, I am so glad to hear you 
say that you believe that it will be worked out. You don’t know 
when, I understand that. But some kind of way, we have to move 
to that can-do. This is the United States of America. I think it 
would be an embarrassment if we can’t get this done. Would you 
agree, as IT people? 

Ms. Evans. Absolutely. We are the Nation that innovates and 
creates technology. So it will get fixed. This is really a communica- 
tions issue and an expectation of what are the services that are ac- 
tually going to be there. We have the technology to fix it, and you 
have some of the smartest people, I am sure, working on it right 
now. Technology is not a partisan issue. What really needs to be 
debated overall is some of the other issues that you brought out in 
what you are talking about, is the policy issues. That is where the 
President should be debating with you, Congress, on policy issues. 
Technology should be implemented to support that. 

Mr. Spires. I think it is also important to say that the way we 
manage our IT programs in government needs to improve. That is 
a non-partisan view. I saw it in the last Administration and I see 
it in this Administration. 

Ms. Evans. I agree. 

Mr. Spires. We need to fix that. 

Mr. Cummings. Thank you both. Your testimony has been ex- 
tremely helpful. Thank you. 

Mr. Meadows. [Presiding] I thank the ranking member for his 
comments. I thank each of you for coming today to testify. 

I do want to follow up a little bit with this additional testing. As 
we start to go in, and having been someone who was in the private 
sector, who has worked a number of times with systems, just when 
you think you have the problem fixed, you find ten more. 

So with best practices, do you not think it is best practice to take 
down the site while we work through these technical glitches and, 
more importantly, through some of the security concerns which are 
a bigger problem for me than whether we can get on and log on, 
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it is once you have done that, would that not be the best practice, 
to take it down? 

Mr. Spires. Yes. Let me caveat it by saying, this is a non-polit- 
ical statement I am making. Just from a best practices perspective, 
if I was running that program and no other considerations, I would 
immediately take the site down. I would have the team focus on 
working through the issues. I would do real stress testing on the 
system and then I would bring the site back up when it was ready. 
That is what I would do from a best practice perspective. 

Mr. Meadows. Without all the politics of it. 

Mr. Spires. Without any of that. 

Mr. Meadows. But from a best practices standpoint? 

Mr. Spires. Yes, because it could get the team focused on fixing 
the system and not operating the system right now. 

Mr. Meadows. Ms. Evans, I want to go to some of your testi- 
mony. Let me quote here, because I want to understand what you 
said. You said, “The functionality and shortcomings of 
Healthcare.gov are a result of bad management decisions made by 
policy officials within the Administration.” They did this “to them- 
selves. And if they are now surprised, is it because their own policy 
officials failed to inform them of the decisions and the consequences 
associated with those decisions.” We asked that in the earlier 
panel. And we really didn’t get a response. But in light of your tes- 
timony, what did you mean by that? 

Ms. Evans. For example, a decision that was made to remove the 
browsing function. When you make that decision, and what came 
out in the previous panel was that was actually made by the 
project manager, based on a technical result of testing. 

So by that type of decision and rolling that up, there is policy im- 
plications associated with that. So the policy officials said, okay, it 
is okay. So if you take a sequence of events that are programmed 
into a system that are supposed to go one, two, three, four, five, 
and you take out number two, and now you expect one, three, four 
and five to work really well and two is not there anymore? That 
was a policy decision to go forward with a site, with a major piece 
of functionality pulled out and not tested. That is why I made the 
statement about, and now you are surprised that it is not working. 

Mr. Meadows. So they shouldn’t be surprised? 

Ms. Evans. They should not be surprised. If the sequence is one, 
two, three, four, five, and you take two out, and you haven’t tested 
the impact of when two is out, you should not be surprised it 
doesn’t work. 

Mr. Meadows. So let me ask you this, then. Who should have 
informed the White House or what policy official should have done 
that in this overall Healthcare.gov? Who is the go-to person? That 
is what we have been trying to figure out. Who is the go-to person 
that said, golly, we pulled it out, but it is not working. 

Ms. Evans. In the rest of my testimony, and this is not a par- 
tisan statement either, this is my belief of what the role of a chief 
information officer is supposed to do. In my view, what would hap- 
pen is that would have come up from CMS. So it was made as a 
technical decision. And the chief information officer at a depart- 
ment level is supposed to analyze what that impact is on the port- 
folio overall, on behalf of the Secretary. What is that going to mean 
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from both a policy, political, communications, technology, all of 
that. And then elevate that issue. 

So I really believe that the chief information officer is the one 
who is supposed to be the nexus, the tech-sawy person on that 
staff, to analyze those implications as it relates to business and pol- 
icy. 

Mr. Meadows. I know we have a lot of CIOs. Who specifically 
would that have been? What is the name? 

Ms. Evans. Well, in this particular case, if everything worked the 
way it is supposed to, it would have been the chief information offi- 
cer at HHS. 

Mr. Meadows. Which is who? 

Mr. Spires. Mr. Baitman. 

Ms. Evans. Mr. Baitman. Which is in his portfolio. 

Mr. Spires. Can I add, though, because I think that is absolutely 
right, what you said. But what I like to do in programs is pull 
those people together on a regular basis in some kind of governance 
forum so that you can have those dialogues, so the CIO can rep- 
resent the technology issues and implications to policy changes. 
But it shouldn’t just be the CIO’s decision. 

Ms. Evans. No, and I am not saying it should be the CIO’s deci- 
sion. 

Mr. Spires. It should be a shared decision. 

Mr. Meadows. A shared decision, but he should be the one in- 
forming? 

Mr. Spires. That is correct. 

Ms. Evans. That is right. 

Mr. Meadows. So I will finish with this last question. I have 
Google in my district. I love Google. We have, in California, which 
I don’t represent, we have unbelievable expertise. Because we are 
the greatest Nation, as the ranking member talked about, would 
we not be reaching out to those experts right now and saying, 
please come help us get it all done? Would that not be the appro- 
priate thing to do? 

Mr. Spires. I thought they had brought in a few of the technical 
experts as well. 

Mr. Meadows. But really, if we are trying to get this done by 
November 30th, which I think a lot of us question whether it will 
really happen, and that should not necessarily be an indictment, 
would we not reach out to more experts in the private sector? 

Mr. Spires. I think at this point that would not work for Novem- 
ber 30th. The learning curve is so great, you would spend more 
time trying to get these experts up to speed on the specifics of the 
details of Healthcare.gov than you would get any benefit out of that 
at this point. That doesn’t mean going forward you might not want 
to engage others as well. 

Ms. Evans. The one thing I would want to add, I think both 
Richard and I have been in situations with challenged rollouts in 
our career, where we have had challenged rollouts. To your point, 
the best value that Silicon Valley could do at this point is validate 
the solutions you are going to put in place. 

So what I have done in the past on projects where I have had, 
and I have had failures in my career, as my technical team is tell- 
ing me that this is what we are going to do or these are the 
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changes that we are going to make, we would validate those 
against and talk to Silicon Valley saying, from a technical perspec- 
tive, so they are only analyzing the technical issues at that point, 
saying, if we roll this out and this is the current problem, and we 
make these configuration changes, is that going to solve the prob- 
lem. That is probably the best application of those resources at that 
point, and as well with Healthcare.gov. 

Mr. Meadows. I thank the chairman. 

Chairman ISSA. [Presiding.] I thank you, and if this were health 
care and not IT, we would probably say, get a second medical opin- 
ion in this case. 

Mr. Cummings? 

Mr. Cummings. Again, I want to thank you all. I think when we 
talk about best practices, you look at, I wish maybe in this instance 
that some of these best practices that we are talking about had 
been done. And I noticed that you all talked about IT, technical, 
and then you also talked a little bit about political. There is so 
much that goes into these decisions. But for me, I want to see this 
work, and I am sure you do too. 

I do not, I just don’t believe in failure. We are better than that. 
I hope that the folks who were part of the process will hear the 
things that you are talking about. Because I think our strength is 
in the expertise we all bring. All of us have our own experiences. 
And having served in the positions that you served, and served, 
you bring a lot to the table. Hopefully, folks will have their ears 
open and their minds open to make sure that this doesn’t happen 
this way again. I know we can do better. 

And I guess the bottom line is that there are so many people that 
are depending on us. There are a lot of people. 

Mr. Spires. I am not calling this a failure, sir. It is troubled. But 
this is not a failure. We need to get it fixed, you are right. 

If I could just also say, because I think it is important enough 
to say, I made this comment, but I think it is important, we need 
the CIOs to be strengthened in this government from the stand- 
point of their empowerment. 

Mr. Cummings. So you are familiar with Mr. Issa’s bill? 

Mr. Spires. Absolutely, and I very much support that. 

Mr. Cummings. Do you think that legislation gets to the issue 
you are trying to get to? 

Mr. Spires. Yes. When you have the lineup of CIOs on your first 
panel and none of them were really engaged, that is just not cor- 
rect. And it leads to failure of IT programs. 

Ms. Evans. My view is that the legislation should pass. I have 
had a lot of discussions with Chairman Issa’s staff about this, and 
the role of the CIO. I obviously feel very passionate about it. I be- 
lieve if that law is passed, it will remove all excuses for non-per- 
formance of CIOs and you would have a very different oversight 
meeting. Because everything that the CIOs have said in the past 
that they cannot do, that legislation would fix. Therefore, they 
would be held accountable for their job. 

Mr. Cummings. By the way, that is something we did on a bipar- 
tisan basis. 

Ms. Evans. That is right. 
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Mr. Cummings. Thank you very much. I really appreciate both 
of you. 

Chairman Issa. Thank you. 

I have just one closing question. I know that you are not software 
writers per se. But I talked to Mr. Farenthold, who actually put up 
websites. And I just ask a question. You saw on the last panel 
where I essentially admonished all of them to look at the FEHBP 
or what was just for 230 plans, what was just a few pages that 
would tell you how much each plan was and how much the govern- 
ment would pay and how much each person would pay. 

Now, one of the reasons that that was only a few pages is that 
that spreadsheet was for a program that did not age discriminate. 
The Affordable Care Act discriminates based on three things: the 
plan itself, if it is regional, has a region in which it operates. If it 
is national, it has a single price, like FEHBP. 

It rate discriminates based on age and whether you smoke or 
not. I have gone back and forth, those are the only variables. So 
for a given location, which is where you choose your plan, let’s just 
say the Alabama something or other, you only have to know your 
age and whether you smoke or not. And I do a little quick math, 
and again, unlike the gentleman from Harvard, Mr. Park or Mr. 
Massey from MIT, I went to Kent State and a little Catholic school 
up in Michigan. So I did arithmetic, not calculus. 

But between 65 and 27, when you leave your parents’ plan, and 
the time you are eligible for Medicare, there are 38 years. So as 
far as I can tell, there are 38 different ages you could be based on 
the costs of a given plan. And then the question of do you smoke 
or not. 

So I saw essentially a spreadsheet or a data base to retrieve from 
of 76 possible answers if you want to go to a plan and ask how 
much it costs. 

Now, for both of you, if I wanted a website that had an engine 
in the back end that looked at, for a given plan, and asked the 
question of, how old are you and do you smoke or not, and then 
I went out and got the number from that cell, how hard do you 
think that would be? Because you understand on September 12th, 
or September 3rd, they made a decision to not launch that part. 
September 12th, they reiterated. They scrubbed moving the soft- 
ware, they moved their people to other problems. 

I just want to understand, how many people and how long do you 
think it would take for 76 different numbers that you put in on a 
little program, here is my age and I smoke or I don’t smoke, and 
I want to know how much this plan is? And I am being a little face- 
tious, and Mr. Spires, you are both smiling well. But that really is 
the website that we are asking for a splash-type open shopping. 

Mr. Spires. Obviously, with the requirements you stated, that is 
a pretty simple website. I suspect that what Mr. Chao was refer- 
ring to had a lot more functionality and capabilities, and you can 
call it bells and whistles, and that may be inappropriate, than that. 

Chairman Issa. But didn’t the American people deserve to be 
able to surf prices as simple as a data base? It is almost the back 
end of a pocket calculator to come up with that. 

Ms. Evans. Absolutely. But again, when you get into some of the 
big projects, and that is what I mean about scope creep, and really 
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understanding what did have to launch on October 1st, based on 
that policy decision. So if it is as simple as what you described, the 
government already has a website set up called Benefits.gov that 
those simple questions, and this might be an alternative that they 
could use right now while they are working on the longer plan, 
those simple questions could be put in there. You can fill out this 
information now, this was started as one of the 24 initiatives. And 
you would not only find out what you are eligible for under 
Healthcare.gov, but you could also find out what other Federal ben- 
efits you are eligible for based on the way that you would answer 
these questions that only live in the session. 

So that whole site was set up for Federal benefits, so that you 
could see everything that you are eligible for as a citizen. So that 
simple requirement could have launched and can still launch in 
Benefits.gov. 

Chairman Issa. I am of an age that I knew the names of all the 
Mercury astronauts. I didn’t know much about government con- 
tracting as a young man, but I have been told that the space pen 
was designed to be able to write in zero gravity, so they could make 
their notes in this inverted zero gravity. But the Russians used a 
pencil. 

[Laughter.] 

Chairman ISSA. The pencil cost what it took to sharpen it, while 
the space pen cost millions of dollars to design and produce. 

Now, that may be a euphemism for a lot of what we deal with. 
But today we heard somebody tell us that they decided to scrub be- 
cause there were security concerns over what ultimately was a glo- 
rified splash page. If you were back, both of you were back in your 
positions and you wanted to please your boss by giving him as 
much deliverable as you could, and 30 days out you discovered that 
something had to give, would you have grabbed a pencil out of the 
drawer instead of telling people they would have to wait months 
or years to get the space pen? 

Mr. Spires. I certainly would have tried that, sir. I would have 
even said, seems to me, and I will echo what Ms. Evans said, that 
there should have been a lot of work up front to simplify as much 
as possible what needed to be launched on October 1st. 

Chairman Issa. I want to thank you. Mr. Lacy Clay alluded to 
the Harris project that was done during a previous Administration 
where the Census Bureau, not really the Administration, had 10 
years to launch something and they kept changing it, so that the 
corporation could legitimately say that it wasn’t ready, but they 
could show all these change orders in what was basically a 
handheld scanner, not a terribly high-faluting piece of technology. 
So I do understand the mission creep. 

We were just told that apparently in the month of October, we 
signed up approximately 27,000 people into ObamaCare. With that, 
would either one of you like to venture whether or not the estimate 
we were given that they are now signing up roughly 27,000, on the 
Federal exchange, but we were told they are signing up about 
27,000 an hour. So apparently they are signing up about the same 
amount per hour that they signed up in the first month. 
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Would any of you venture a guess to what that number will be? 
Will it be at least ten times 27,000 an hour or 270,000 a day at 
the end of the month? Or are you going to bet on the low side? 

Ms. Evans. I am not a betting person. So I will put that on the 
record. There is not enough information for me to bet. 

Chairman ISSA. But with 17,000 an hour being told to us under 
oath here today, does anyone want to look at 170,000 or 200,000 
or 300,000 a day and bet higher or lower here? 

Ms. Evans. Lower. It is going to be lower, because he said 17,000 
registrations. So that is not 17,000 completions. This is again, you 
are talking about how they are measuring certain things and how 
you want the outcomes. So you are looking at the outcomes and 
they are measuring things at the beginning of the process. So if 
you are talking about all the way through the process, it is going 
to be on the lower side. 

Chairman ISSA. I suspect you are exactly right. When I was in 
private life, they always wanted to sell me impressions, how many 
impressions a piece of advertising got. And I always wanted to buy 
how many sales. So I suspect that we have 17,000 impressions an 
hour, while in fact the amount of sales could be not much more 
than that less than 30,000. So I am betting that when we get our 
answer at the end of November, that it is 100,000 or less in the 
Federal exchange. I certainly hope for more, because we need it to 
be, I think, 43,000 a day if we are going to cover everyone. 

Would either of you like to make any closing statements? 

Ms. Evans. I just want to say I appreciate your inviting me back, 
the committee inviting me back to share my viewpoints. I would 
echo some of the comments that Richard has made today, that it 
is important to get that legislation through to enhance the roles of 
the CIO, so that we can ensure that other things like IT procure- 
ment and those things happen, so that we can avoid this for this 
type project, for all of the whole, entire portfolio. 

Mr. Spires. I am not sure I could say it any better than you just 
said it, Karen. So I have no other remarks. Thank you. 

Chairman Issa. Thank you both. We always say, I will associate 
myself with the gentlelady. So I thank you both again for your pub- 
lic service in the past and your continued service today. We stand 
adjourned. 

[Whereupon, at 3:40 p.m., the committee was adjourned.] 
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ONE HUNDRED THIRTEENTH CONGRESS 

Congress of tije Umteb States 

$>ouse of iRepresentatibesf 

COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM 
2157 Rayburn House Office Building 
Washington, DC 20515-6143 

Mumiy <902)225-5074 
FACKMtr <202)225-3974 
Mmrn 002)225-5051 
httpYAw5i9M.house.aov 


November 6, 2013 


The Honorable Darrell E. Issa 
Chairman 

Committee on Oversight and Government Reform 
U.S. House of Representatives 
Washington, DC. 205 1 5 


Dear Mr. Chairman: 



ELIJAH E. CUMMINGS. MARYLAND 
RANKING MINORITY MEMBER 



I am writing to inquire about the protocols the Committee plans to utilize to properly 
secure highly sensitive documents produced by MITRE Corporation, the independent contractor 
hired by the Centers for Medicare and Medicaid Services (CMS) to perform security control 
assessments for the Healthcare.gov website. In light of the potential for ill-meaning individuals 
to use this information to damage the website or compromise the security of confidential 
consumer information, I propose that we meet to develop common guidance for our Committee 
Members on the proper safeguarding of these documents. 

On November 5, 2013, MITRE sent a letter to the Committee explaining that it 
“performed security testing on specific components of the site.” Accompanying this letter, 
MITRE provided to the Committee copies of “six password protected files of the security tests 
(Security Control Assessments) we performed for CMS.” 1 

MITRE explained in its November 5 letter that the information in these documents is 
highly sensitive. MITRE wrote that these documents, some of which date back to early testing 
of the system in 20 1 2, include “code and other technical information that could be used to hack 
the system.” Although many security issues discussed in these documents have been addressed, 
the company “redacted portions that could jeopardize the security and privacy of information on 
the site if inadvertently disclosed.” 

Even with these redactions, MITRE warned that the Committee should not release 
publicly the information contained in these documents. In a sentence underlined by the 
company, its letter stated: 


1 Letter from Kathleen Golden, Government Relations Manager, The MITRE 
Corporation, to Chairman Darrell E. Issa, House Committee on Oversight and Government 
Reform (Nov. 5, 2013). 
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Even with the redactions, the information provided should still be considered sensitive 

and may pose a security risk to the confidentiality of consumer information accessible 

through HealthCare.gov if disclosed . 

The documents themselves also indicate the highly sensitive nature of the information 
they contain. In addition to being password protected, the documents are marked with the 
header; “CMS Sensitive Information — Requires Special Handling.” 

I am sure that no Member of our Committee wants to be accused of making public highly 
sensitive security information — either intentionally or unintentionally — that could give hackers a 
roadmap for destroying the Healthcare.gov website. I am equally certain that no Committee 
Member wants to be accused of taking any action that compromises the confidential information 
of American consumers. 

For these reasons, I would like to confirm the protocols the Committee intends to use to 
properly secure these documents and the information they contain. Before our hearing next 
week on this subject, I propose that you and I meet to discuss how we can instruct our 
Committee Members on safeguarding the information in these documents. I also believe this 
process should include careful consultation with both MITRE and CMS to avoid any possibility 
of misunderstanding. 

To be clear, I strongly support the Committee’s right to relevant information necessary to 
perform its oversight functions, and I am not suggesting that either MITRE or CMS should have 
a veto over the Committee’s actions. Instead, I am proposing that we work in a careful and 
deliberate manner to understand fully the risks involved with our potential actions and that we 
act in a concerted and bipartisan manner to obtain the information we need while protecting 
American consumers. 

Thank you for your consideration of this request, and I would appreciate the opportunity 
to discuss this matter with you directly prior to taking any actions with respect to these 
documents. 


Sincerely, 



Ranking Member 
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and the -- 

A Right. Mary Wallace is in the Office of Communications. 
And I think, in a weekly meeting with her and with the CGI folks, it 
was determined that it wasn't, you know, kind of, working, so why leave 
it in? So I checked with Mary Wallace because, remember I said that 
we have business people that drive decisions? 

Q Uh-huh. 

A And in OC, where Mary works, she's in charge of the group 
that does the user experience, right? So if we're going to remove 
something, she has to give the okay, right? So she said it isn't 
needed. And my take was why put it in, because it's broken. And then 
the rest of it is actually, kind of, just the other folks clarifying. 

Q So being removed -- the anonymous-shopper function was 
being removed from, what, the next build or from the -- 

A Uh-huh. 

Q Okay. 

A Yeah. Disabled. 

Q Disabled. Did you tell CGI not to move forward with the 
anonymous-shopper function because you wanted to hide the true costs 
of health plans to the public? 

A No, I did not. 

Q And so the reason that you had said earlier was because it 

kept failing in testing -- 

A Right. 

Q -- it wasn't working. Is that correct? 
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A Yeah. Through consultation with Mark Oh and Monique and 
Mary and the CGI folks, we believed that, you know, why deploy something 
that doesn't work. 

BY MS. SACHSMAN GROOMS: 

Q So would you say that the anonymous-shopper function was 
ready to go when you decided to turn it off? 

A No, it wasn't ready. 

Q And Mary Wallace is from the Office of Communications. Can 
you explain --and I understand the Office of Communications isn't your 
purview, but can you explain what the Office of Communications does? 
Because I think some people think that it's just, like, a press shop. 

A It has the press shop, but also OC has a Web site management 
group that runs Medicare.gov, CMS.gov, HealthCare.gov, 
GetInsuredNow.gov. All of the CMS.gov Web sites are run out of Office 
of Communications and their Website Management Group. 

And the biggie is that Mary's group also oversees the 
1-800-MEDICARE call centers and the marketplace call centers. So, 
yeah, that's a huge workforce that supports that, you know. Medicare 
program and now marketplace. 

So a lot of people are confused like you said; they think they're 
a press shop. But they actually have a very big operations shop, too. 

[Chao Exhibit No. 8 

was marked for identification.] 

Ms. Sachsman Grooms. This one has a Bates number that's on it. 


BY MS. LEE: 
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Obama adviser: Demand overwhelmed 
HealthCare.gov 

Tim Mullaney, USA TODAY 7:50 a.m. EDT October 6, 2013 

The Obama administration's top technology expert explains 
why the government's health care website isn't working and 
what's being done to fix it. 

A computer screen shows the healthcare.gov website, where people can enroll for health care 
exchanges under President Obama's health care law.(Photo: Lynne Sladky, AP) 

Story Highlights 

• Enrollment functions of site will be unavailable during off-peak hours this weekend 

• The website will remain open for general information 

• Federal and state health insurance websites experienced problems this week 

The government website launched this week to sell health insurance was overwhelmed by up to 
five times as many users as it was designed to handle. President Obama's top technology adviser 
said Saturday in an exclusive interview with USA TODAY. 

U.S. Chief Technology' Officer Todd Park said the government expected HealthCare.gov to draw 
50,000 to 60,000 simultaneous users, but instead it has drawn as many as 250,000 at a time since 
it launched Oct. 1 . 

Park's comments are the administration's most detailed explanation for the glitches that have 
frustrated millions of consumers who have tried to enter the site or complete applications for 
health insurance under the Affordable Care Act. 

"These bugs were functions of volume," Park said. "Take away the volume and it works." 

The administration built the site's capacity based partly on the all-time high of 30,000 
simultaneous users for Medicare.gov, an existing site where senior citizens can buy or renew 
prescription-drug plans under Medicare Part D, Park said. Its theoretical maximum capacity 
hasn't been disclosed. 

More than 8.1 million consumers visited the site from Tuesday through Friday, according to the 
White House. The administration hopes that as many as 7 million consumers eventually will sign 
up for health insurance through the government marketplace. 

HealthCare.gov's enrollment functions are shut down at off-peak hours this weekend so 
technicians can make repairs to the site. 

"We're obviously not satisfied with the performance," Park said. "We're working 24-7." 



153 


The site will be running better by early next week, he said, though he declined to make specific 
guarantees. The administration isn't yet prepared to say how many simultaneous users the 
upgraded site will be able to handle, he added. 

The administration's explanation didn't impress a Bush administration official who helped launch 
Part D in 2006. 

"Whoever thought it would draw 60,000 people wasn't reading the administration's press 
releases," said David Brailer, former national coordinator of health care information technology. 
"The Medicare Part D site was supposed to have 20,000 simultaneous users and was (built for) 
150,000, and that was back when computing was done on an abacus. It isn't that hard." 

The volume since Tuesday overwhelmed a specific component of software on the 
HealthCare.gov site that lets people create accounts, enabling them to shop for insurance plans 
available in their state, Park said. 

The part of the site that explains generally how the new law will work, and gives broad 
information about the kinds of plans available, has worked throughout the troubled launch, he 
said. 

The Affordable Care Act called for the Department of Health and Human Services to build an 
online exchange, or Internet store, to let uninsured consumers compare and buy plans offered by 
private insurance companies. The government will subsidize coverage for many working-class 
and middle-class families, while poorer citizens may be covered by the law's expansion of the 
existing Medicaid program for low-income families. 

The exchange misfired almost immediately upon its launch. 

This photo provided by HHS shows the main landing web page for HealthCare.gov.(Pboto: AP) 

Engineers quickly deployed software that referred visitors to an online waiting room, hoping that 
controlling the number of people trying to create accounts would ease pressure on the software, 
Park said. But serious performance issues have plagued the site all week, he said. 

Park disputed a Reuters report that quoted non-government technology experts who theorized 
that the site's architecture inadvertently made it mimic a common method by which hackers 
attack websites to shut them down, forcing the software to misfire. 

"That is not the driver of the bottleneck," he said. 

The site is managed by the Center for Medicare and Medicaid Services, Park said. It is hosted at 
a secure, privately owned cloud computing facility in Virginia. Outside experts this week had 
questioned whether the site was being run on cloud-based technology, whose flexibility usually 
lets website owners adjust quickly to spikes in traffic. 

But the problem proved to be more complex than just adding more computer servers to manage 
the extra demand, he said. 

A team working on the site is taking two other steps to fix the problem, Park said. 
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It is upgrading software that lets people create accounts to apply for insurance. One symptom of 
this has been malfunctioning pull-down menus that have worked only intermittently all week. 
And HealthCare.gov is moving one part of the site that processes applications from so-called 
virtual machine technology, which uses software to let a website securely share computer servers 
with other sites, to using servers dedicated exclusively to that process, he said. 

That change will add extra computing power, complementing the software upgrade to make the 
registration process work more smoothly, he said. 

The explanation is "a little geekalicious," he said. 
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DEPARTMENT OF HEALTH & HUMAN SERVICES 
Centers for Medicare & Medicaid Services 
7500 Security Boulevard, Mail Stop N3- 15-25 
Baltimore, Maryland 21244-1850 

OFFICE OF INFORMATION SERVICES 



MEMORANDUM 


DATE: 

TO: 


FROM: 


S€P 3 2013 

Director, 

Consortium for Medicare Health Plans Operations (OA/CMHPO) and Acting 
Deputy Center Director for Operations, Center for Consumer Information and 
Insurance Oversight (CCIIO) 

Chief Information Officer and 

Director, Office of Information Services (OIS) 


SUBJECT : Authorization Decision for the Federal Facilitated Marketplaces (FFM) System 

ACTION REQUIRED 3Q DAYS FROM THE DATE OF THIS MEMORANDUM 


The Federal Facilitated Marketplaces (FFM) System is a Moderate level system located at the 
Terremark Datacenter in Culpeper, Virginia. The system maintains records used to support all 
Health Insurance Exchange Programs established by the Centers for Medicare & Medicaid 
Services (CMS) under the health care reform provisions of the Affordable Care Act (Public Law 
11-148), FFM will help qualified individuals and small business employers shop for, select, and 
pay for high-quality, affordable health coverage. Exchanges will have the capability to 
determine eligibility for coverage through the Exchange, for tax credits and cost-sharing 
reductions, and for Medicaid, Basic Health Plan (BHP) and Childreri's Health Insurance Program 
(CHIP) coverage. As part of the eligibility and enrollment process, financial, demographic, and 
(potentially) health information will flow through the Exchange. 

On August 8, 2013, you certified the controls for the system and submitted along with your 
certification the other required documentation necessary to obtain an Authorization to Operate 
(ATO) for FFM. 

I have determined through a thorough review of the authorization package that the risk to CMS 
information and information systems resulting from the operation of the FFM information 
system is acceptable predicated on the completion of the actions described in the attachment. 
Accordingly, I am issuing an Authorization to Operate (ATO) for the FFM information 
system to operate in its current environment and configuration until August 31, 2014. The 
current configuration includes only the Federal Facilitated Marketplaces Qualified Health Plans 
(QHP) and Dental modules. This system is not authorized to establish any new connections or 
interfaces with non-CMS FISMA or other non-CMS connections without prior approval during 
the period of this ATO. An impact analysis must be conducted for any system changes 
implemented after the issuance of this ATO. Any major modifications that affect the security 
posture of the system will require an appropriately scoped security controls assessment and 
issuance of a new ATO. 


Contains Sensitive and Proprietary Business information - 
Maintain as Confidential 


CG1HR00002826 
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The security authorization of the information system will remain in effect until the indicated 
expiration date if the following conditions are maintained: 

(i) Required periodic security status reports for die system are submitted to this office in 
accordance with current CMS policy; 

(ii) New vulnerabilities reported during the continuous monitoring process do not result 
in additional agency-level risk that is deemed unacceptable; and 

(iii) The system has not exceeded the maximum allowable time between security 
authorizations in accordance with Federal or CMS policy. 

The attachment provides information on requirements not met, as well as corrective actions 
needed to bring them into compliance. The actions set forth in the attachment must be entered 
into the approved CMS Plan of Action and Milestones (POA&M) tracking tool no later than 
30 days from the date of this memorandum, and the action items addressed no later than the 
designated completion dates. This office will monitor all POA&M items submitted during the 
period of authorization. 

If you have questions, please contact Teresa Fryer, Chief Information Security Officer (CISO), at 
410-786-2614. The DISPC team is also available to support staff level questions at 
CISO@cms.hhs.gov . 

yirv 

Tony Trenkle 


Attachment 


cc: 

Mark Oh, Director OIS/CIISG/DHIM 

Darrin Lyles, ISSO, OIS/CHSG/DSMDS 

Teresa Fryer, CISO, Director OIS/EISG 

Michael Mellor, Dep. CISO, Dep. Director OIS/EISG 

Desmond Young, OIS/EISG/DISPC 

Jessica Hoffman, OIS/EISG/DISPC 

James Mensah, OIS/EISG/DISPC 


Contains Sensitive and Proprietary Business Information - 
Maintain as Confidential 
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CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 

Attachment 

Federally Facilitated Marketplaces (FFM) System 

Authorization Decision 


Authorization decision Is required for the following reason(s); 


X 1 

New System 


Major system modification 


Serious security violation 


Changes in the threat environment 


Expired authorization to operate 


I. Authorization Decision 

I have reviewed the information concerning the request for an Authorization to Operate and with 
consideration of the recommendations provided by my staff; I concur with the assessment of the 
security risk. This risk has been weighed against the business operational requirements and 
security measures that have or will be implemented. I have determined the following 
authorization decision is appropriate. 


X 

Authorization to Operate 

The current risk is deemed acceptable. The applicable system is authorized to operate until the 
designated date, subject to the authorization actions in Section 11. 

This authorization will expire: August 31, 2014. This authorization mav be withdrawn at the discretion 
of the Authorizing Official for lack of progress on the authorization actions in Section II, or any security violations 
deemed to increase the risk to CMS beyond a tolerable level. 



Denial of Authorization to Operate 

The current risk is deemed unacceptable. The applicable system mav not operate until the 
authorization actions listed in Section II are completed, after which, verification of corrective 
actions and resubmission of the authorization package is required. 


(Authorizing Official Signature and Date) 
Tony Trenkle 

CMS Chief Information Officer 


CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 

Page 1 of 5 


Contains Sensitive and Proprietary Business information - 
Maintain as Confidential 
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CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 

Attachment 

* 

Federally Facilitated Marketplaces (FFM) System 
II. Authorization Actions 


Failure to meet the assigned due dates without prior approval invalidates this authorization to 
operate. The following specific actions are to be completed by die date(s) indicated: 


Finding 

Finding Description 

Recommended 
Corrective Action 

Risk 

Due 

Date 

FFM has an 
open high 
finding: 

Macros 
enabled on 
uploaded files 
allow code to 
execute 
automatically. 

An excel file with a 
macro which 
executes when the 
spreadsheet is opened 
was uploaded for 
review by another 
user. The macro only 
opened up a 
command prompt 
window on the local 
user’s machine; 
however, the threat 
and risk potential is 
limitless. Keeping 
macros enabled relies 
on the local machine 
of the user who 
downloads to detect 
and stop malicious 
activity. 

Implement a method 
for scanning uploaded 
documents for 
malicious macros. 

Ensure that the 
existing or equivalent 
compensating controls 
remain in place: 

• The file upload 
function is only 
available for a 
limited period each 
year. 

• The file upload 
function is not 
available to all 
users, only plan 
users. 

• Files types able to 
be uploaded are 
whitelisted. 

The presence of 
high risk findings 
in a system 
represents an 
increased risk to 
the CMS 
enterprise. 

Lifecycle 
management of 
the system 
requires initial 
testing for FISMA 
authorization and 
continuous 
monitoring. Non- 
compliance with 
the CMS 
Information 

Security (IS) 
Acceptable Risk 
Safeguards (ARS), 
CMS Minimum 
Security 
Requirements 
(CMSR) without 
continuous 
monitoring 
presents an 
unacceptable risk. 
(CA-2). 

May 31, 
2014 


CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 
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CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 

Attachment 


Federally Facilitated Marketplaces (FFM) System 


Finding 

Finding Description 

Recommended 
Corrective Action 

Risk 

Due 

Date 

FFM has an 
open high 
finding: No 
evidence of 
functional 
testing 

processes and 
procedures 
being 
adequate to 
identify 
functional 
problems 
resulting in 
non- 
functional 
code being 
deployed. 

Software is being 
deployed into 
implementation and 
production that 
contains functional 
errors. Untested 
software may 
produce functional 
errors that cause 
unintentional Denial 
of Service and 
information errors. 

Retest FFM each 
quarter and submit a 
new CMS Security 
Certification Form for 
an Authority to 

Operate (ATO) 
request each quarter. 
Following is die CMS 
Security Certification 
Form for an ATO 
request schedule for 
re-evaluation: 

January 2014 

April 2014 

July 2014 

October 2014 

January 2015. 

The most recent 
Security Control 
Assessment (SCA) 
should be final and 
have a Plan of Action 
and Milestones 
approved. 

The presence of 
high risk findings 
in a system 
represents an 
increased risk to 
the CMS 
enterprise. 

Lifecycle 
management of 
the system 
requires initial 
testing for FISMA 
authorization and 
continuous 
monitoring. Non- 
compliance with 
the CMS 
Information 

Security (IS) 
Acceptable Risk 
Safeguards (ARS), 
CMS Minimum 
Security 
Requirements 
(CMSR) without 
continuous 
monitoring 
presents an 
unacceptable risk. 
(CA-2). 

February 
26, 2015 


CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 
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CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 

Attachment 


* 

Federally Facilitated Marketplaces (FFM) System 


Finding 

Finding Description 

Recommended 
Corrective Action 

Risk 

Due 

Date 

Many FFM 
controls are 
described in 
CFACTS as 
“Not 

Satisfied”, 

Many FFM controls 
documented in the 
security controls 
section of CFACTS 
have an effectiveness 
of “Not Satisfied”. 
Security controls are 
not documented as 
being fully 
implemented. 

Update the security 
controls in CFACTS. 
Use the Risk 
Management 

Handbook Volume II 
Procedures 4.2 and 

5.6. 

There is the 
possibility that the 
FFM security 
controls are 
ineffective. 
Ineffective 
controls do not 
appropriately 
protect the 
confidentiality, 
integrity and 
availability of data 
and present a risk 
to the CMS 
enterprise. (PL-2). 

February 
7, 2014 

FFM appears 
to have 
selected an 
inappropriate 

E- 

Authenticatio 
n level. 

FFM information 
contains financial and 
privacy data. 
According to RMH 
Volume II Procedure 
2.3 and RMH 

Volume III Standard 
3.1; Privacy and 
financial data should 
be protected by E- 
Authentication Level 

3 controls. 

Review the E- 
Authentication level of 
FFM for both users 
and system 
administrators. If 

Level 3 is the 
appropriate E- 
Authentication level, 
implement the 
appropriate controls 
and complete the e- 
Authentication 
workbook. Ensure 
system administrators 
are cleared for 
positions of trust. 

The E- 

Authentication 
level of a system 
determines the 
security controls 
and means when 
connecting to a 
system over or 
from an untrusted 
network. Use of 
inappropriate 
controls exposes 
the enterprise to 
additional risk. 
(RA-2). 

February 
7, 2014 

Control 
inheritance is 
incorrectly 
documented 
in CFACTS. 

FFM indicates many 
of its controls are 
“under the control of 
the Terremark”; 
however, these 
controls are not 
described as inherited 
from the Terremark 
data center within 
CFACTS. 

Review the FIPS 199 
inheritance selections 
in CFACTS and either 
select the appropriate 
inheritance or indicate 
the controls are solely 
the responsibility of 
FFM. 

Unclear control 
responsibility can 
lead to controls 
not being 
appropriately 
implemented and a 
lack of 

accountability. 

(AU-1). 

February 
7, 2014 
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CMS SENSITIVE INFORMATION - REQUIRES SPECIAL HANDLING 

Attachment 


♦ 

Federally Facilitated Marketplaces (FFM) System 


Finding 

Finding Description 

Recommended 
Corrective Action 

Risk 

Due 

Date 

Inconsistent 
Points of 
Contact 
(POCs). 

The system 
developer/maintainer 
on the CMS Security 
Certification Form is 
a different person 
from the one 
currently listed in 
CFACTS. 

Identify and update 
the appropriate system 
POCs for all of the 
documents and 
provide the updated 
POCs in CFACTS. 

Unclear role 
responsibility can 
affect the life 
cycle support of 
the system. (SA- 
3)- 

February 
7, 2014 

END OF ACTIONS 
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Because of Obamacare... 

I LOST MY INSURANCE 
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YourStory 

Obamacare is much more than a bad website; it’s a bad law. Americans all across the country are already feeling 
the law's negative effects, such as rising premiums, limited access, and cancelled policies. This is happening to 
hardworking Americans in every corner of America - including your own district. When you're home, highlight the 
House Republican Conference’s "YourStory" project and encourage your constituents to submit feedback of their own 
experiences with Obamacare. 



GOP. 


CJ>.,ir Cttfo AwfefTf 


LEGISLATION NEWS BLOG ■ GOP PLAN FOR JOBS MUM A LON 1 AC I 

: ~ ' rtli f lli‘ iict.iil,' Ju'iv 

YourStory 
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Talking Points 

Courtesy of the House Ways & Means Committee 

Obamacare is increasing costs and forcing employers to reduce hours, eliminate jobs or cut wages. Families and 
individuals are losing the health insurance they have and like. No wonder a majority of Americans still disapprove of 
the law. 

• Premiums are increasing: The administration has abandoned President Obama's promise to reduce 
premiums by $2,500, and now acknowledges premiums will increase as a result of Obamacare. 

• Millions of Americans will lose the plan they have and like: Despite President Obama’s promise that 
you can keep the plan you have and like, we now know at least 7 million Americans will lose their employer- 
provided insurance as a result of Obamacare. 

• Obamacare is hurting job creation: While Minority Leader Pelosi promised that Obamacare would be a 
“jobs” bill, 70 percent of small businesses now cite Obamacare as a major ob stacle to job creation. 

• Billions of dollars in tax hikes: The size of the individual mandate tax has risen dramatically from the original 
estimate of $1 7 billion to $55 billion . 

• Fewer people will get covered: Despite repeated claims that as many as 30 million plus people would gain 
insurance through Obamacare, recently the Administration said they hoped that up to 7 million people would 
enter the health care exchanges. 

• Millions more uninsured: The number of Americans left uninsured by Obamacare has risen by 8 million from 
the original estimate . 

Courtesy of the House Energy & Commerce Committee 

Keep Your Health Plan Act 

Chairman Upton and all GOP E&C members have introduced the Keep Your Health Plan Act to allow health care 
plans available today on the individual market to continue to be offered so Americans have the option to keep what 
they have if they like it. The bill also ensures that Americans maintaining their health care plan would not face a 
penalty under Obamacare. 

• NBC News reports that “the Obama administration has know that for at least three years," the 
President’s promise would not hold true for millions of Americans. 

• CBS News adds, "more than two million Americans have been told they cannot renew their current insurance 
plans.. .and this is just the tip of the iceberg." 

Broken Promises 

The President sold his health care law on two major promises: 1) If you like what you have, you can keep it. Period. 
And 2) Health care costs will go down for all Americans, and "save a typical family an average of $2,500..." Each of 
these promises has now been broken. 
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Accountability 

Administration officials and the companies involved 
with building Healthcare.gov looked the committee in 
the eye and repeatedly insisted that everything was 
“on track.” Last week the contractors who buiit the 
site explained that they warned the Administration of 
problems and that the final, end-to-end testing was 
the Administration’s responsibility. 

On October 30th, Secretary of Health and Human 
Services Kathleen Sebelius testified that the website 
was not operating at its full functionality and confirmed 
the rollout was a debacle. 

Transparency 

What else is the Administration not disclosing? 

What further problems lay ahead for Healthcare.gov? 

The Administration boasts its record on transparency, 
but is refusing to provide enrollment figures, E&C 
Committee members first wrote to Secretary Sebelius 
on October 8 requesting these figures. 

Fairness 

How can the Administration force the American people to buy a product from a system that does not work? The 
Administration has given businesses a break for one year -what defensible reason do they have to not provide the 
same fairness to individual Americans? The bipartisan chorus for a delay is growing. 

Competence 

The Administration now has a serious competence problem. Healthcare.gov is so much more than a website. The 

website should have been the easy part. 
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Social Media 

it’s important to execute effective messaging across all media, and social media is a crucial component. 
You should use Facebook, Twitter, YouTube and Instagram to update your constituents daily with posts 
linking to press releases, photos, video, and graphics that drive our messaging. Below are examples of 
recent tweets and Facebook posts from House Republicans that communicate our position. 



. Tim Griffin 0 



Ann Wagner 

OucMKf2SH«:: 



How has # Obamacare impacted you or your 
: family? Tell me here: griffin.house.gov/how- 
has-obamac... #ar2 sarpx farkansas 
i In i knock 


RepKevinBrady § 

f^RepKevinBrady 



For months. President Ooama promised the American people, "If you like your health 
insurance, you can keep it."' Today, the White House finally admitted, ‘It's True' some 
Americans won’t he able to keep their health care plan under Ghamacare. 
#MoreBrokenPromises 


http:.f/www.weeklystandarfl.com/&!oys/'wh-its-t.fue-some-5meric 
keep-their- hea!ih-care-plan-untler-oha!Tiacafe_?64 860 him! 



vVH.-'is's True’ Some Amen 
Keep Their Health Care Pic 

wwKwertttystsiHJanSdspm - 
Wn i?e Boss* spokesman j#f 
tasters briefing- that 'its uw 





Obamacare Costs One Indiana School 
District $6 Million, so they opt to cut school; 
workers’ hours instead. bit.lv/1apU7S5 


Rep. Peter Roskam • S,80S like this 
Oacbci *3 at 1.0 


MUST WATCH: This video shows actual excerpts from an online chat between a person 
trying to sign up for health insurance on Healthcare gov and a customer service 
representative for the website. This actually happened. The American people deserve 
bener. 




Rep. Martha Roby 

©RepMarthaRisay 


O 



Flashback: "Let me be clear: If you like your 
health care plan, you can keep that too." - 
Obama in 2009 nypost.com/2013/10/29/oba 



Rep. Luke Messer • 9,065 tike this 
Yesterday at 1:07pm neat Washington - $ 


: What’s been your experience with heaithcare.gov? Share your 
experience here: 

S GOP.gov - The Website of the Republican 
Majority in the House of Representatives 

■ ] :-Tfce ftgfcice'for tli* tteJwiWicab Majority' in the House i 
••! ' of Represeivfatives, CGP.gov provides the Safest 


Sean Duffy $ 

((|RepSeanDu% 

Another story about #Obamacare’s impact 
on Americans. How is it impacting you? 

: ShareYourStory tinyurl.com/Hqw5sv 

Obama admin, knew millions could not 
keep their health insurance 

i: President Obama repeatedly assured 
I Americans that after the Affordable Care Act 
| became law. people who liked their health 
j insurance would be able to keep it. But millions 
I of Americans are getting or... 





Dave Camp • 3,685 like this 

2 tours ago - $ 


Increased health care costs or losing the coverage you have and like? What has been your 
OfoamaCare experience? Take my survey and share your thoughts. 

http://l-Usa.gov/17njXDb 


e 
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[tplf Patrick Meehan 0 

[ ^RepMeehan 

Sobering stat: more Americans have lost 
their insurance in just 3 states than have 
enrolled in #Obamaeare in all 50 
forbes.com/sites/theapoth. . . 

p Forbes 


More Americans In 3 States Have Had Their 
Insurance Canceled Under... 

The sad reality of the fumbled roll-out ol 
ObamaCare appeared in two sets ol news 
stones that serve as an ironic juxtaposition this 
week Wen over 500.000 individuals have seen 
their insurance 


repfinchertn08 

Sgaysago 

All across Tennessee and the rest of the country, 
stories are pouring in about insurance companies 
canceling coverage in the wake of Obamacare. Have 
you been abie to keep your coverage? HbVe your 
rates gone up? f brokenpromises #obamacare f iica 
.^healthcare ?fail 


jackiewalorski 

■i week ago 

Requesting Indiana enrollment numbers from ?HHS 
for health Insurance exchange, not applications filed. 
tfObamacareAnswers 
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The President's 
i ' i^care Promise 


■id Reality 


Welcome. How can I help you? 


?oplication process I am at •. 
i ? of family & household 
! Save & Continue does not 
•v me to move forward. 


3§8il3 


A Promise He Could Not Keep 

President Obama repeated premsed Ampins 
that, 'It you like your current health ewe Pan you cue 
keepiV’Now, millions of Ampribahs are discovering : 
that is a promise the President could not fear 


GOP.gov 
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Digital Flyers 

Use these digital flyers in your social media posts to point to all the problems 
with the President's Affordable Care Act. 



OBAMACARE 
HITTING HOME 


#OBAMACARE BROKEN PROMISES 

- Plans Cancelled, Premiums Rising - 


#FairnessForAII 


< AC* comp Son: 
!hiSS3Wo 


GOP.gov/YoorSlory 


EOP.gov/JOBS 


Since the Obamacare exchanges opened on 
October 1st. Americans all across the country are 
feeiing the real effects of the Affordable Care Act, 


A BAD PRODUCT 
THAT'S NOT AFFORDABLE 


IT'S NOT ACCESSIBLE 


AND YOU WILL BE FINED 
IF YOU DON’T BUY IT 


#FairnfssFo*Au 


Chair Cathy McMorris Rodgers 
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‘Colorado's Obamacare website 
is Hying to sell Obamacare 
to college kids by c ailing it 
bro'surance. Unfortunately the 
website wasn't working today 
because it is bro' broken." 

- Conan O'Brien 


“Only the federal government 
could come up with a website 
that's slower than sending 
something by mail.” 

- Jay Leno 


GOP.gov/YourStory 




DOUBLE DOWN 


OBAMACARE Will. INCREASE • 
AVERAGE INDIVIDUAL MARKET 
INSURANCE PREMIUMS BY 
99% FOR MEN. 

G'/% FOR WOMEN 


#DontDoubl£MyRate 

(Health Care Eoition) 


ntCbama signed 
to wpwd or defund i 


500.000 
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OBAMACARE 
HITTING HOME 


like your doctor, you 
..■■■ will be able to keep your • 
doctor, period. If you like your 
iisalth cafe plan, you'll be able 
to keep your health care plan, 
: ; v period. No on© 

; ; away, no matte#- wfs&ti?# « 
~ Presldef»t :: Ob^iiiha-i y Jag 


SfoiinessFofAli 


OBAMACARE 
HITTING HOME 


OBAMACARE 
HITTING HOME 


ftFairnessFarAll 


#Fairnes$PorA!l 


OBAMACARE 
HITTING HOME 


OBAMACARE 
HITTING HOME 


PFairnessFotAII 


tfFaimessFoiAii 


Since ihe Obamocare exchang 
October 1st. Americans otl across 
feeling the real effects of the Affor 


Cindy Vinson 
California 
Will have ?o pay 
$ 1 ,800 more a year ■ 
for her individual plan. 


, Since ihe ObaiTiacgre exchanges opened on 
October 1st, Americans all across the country are 
feeling the real effects oi the Affordable Care Act. 


Tom Waschura 
California 

Will have to pay 
nearly $10,000 
more per year 
for insurance for 
his family of four. 


i Obamocare exchanges opened on 
it, Americans an across, the country are 
real effects of thB Affordable Care Act. 


Robert Hare 

New Mexico 

Used to pay 
$87 per month; 
now he will be forced 
info the exhanges; 
and his premium 
will cost $431 . 


Chair Cathy McMorris Rodgers 
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Sample Op-Ed 

Based on an op-ed by Rep. Cory Gardner (CO-4), published in The Gazelle September 13, 2013 

"If you like your health care plan you will be able to keep your health care plan. Period." That was one of the many 
promises made in 2009 by President Barack Obama to sell the Affordable Care Act, commonly known as Obamacare, 
to a skeptical nation. 

Today, as the federal government works to roll out implementation of the health care law, we see that the president's 
promises of 2009 could not be further from the realities of 2013. 

Last month, my wife, Jaime, and I received notice that our health care plan would be discontinued Dec. 31. To comply 
with the myriad new regulations, requirements and mandates of the president's health care law, my family must find a 
new health care plan. 

When I was elected to Congress, I chose not to enroll in the Federal Employee Health Benefits program that is 
available to Members of Congress and their staffs. Instead, I purchased insurance from the private market because I 
wanted to be enrolled in the same health insurance network that all Coloradans have access to. It's the same type of 
plan that many of my friends and neighbors in Yuma and across Colorado have. 

When I heard my family's plan was going to be discontinued, I felt blindsided. And I am not alone. 

Millions of people are seeing changes to their health care coverage as insurers scramble to come into compliance 
with the health care law’s thousands of pages of regulations. And these regulations aren't just forcing changes to 
health care coverage; they're driving premiums up at an alarming rate. 

Recent analysis has shown that average premiums in Colorado for the individual market will increase between 23 and 
25 percent. Moreover, premiums are expected to increase by 1 7 percent in the small group market. After my current 
plan is discontinued, the closest comparable plan through our current provider will cost over 100 percent more, going 
from roughly $650 a month to $1 ,480 per month. 

The president, congressional Democrats led by then-House Speaker Nancy Pelosi and their celebrity allies went 
out on television, radio and the Internet to insist that the law would lower premiums for average Americans. But for 
families across Colorado and the United States opening letters from their insurers or employers this week, the shiny 
veneer of the new law has given way to the ugly realities of higher premiums, reduced work hours and forced chang- 
es to coverage. 

Choosing a health care plan is a difficult and time-consuming process. 

Families like my own try to find coverage that works for them, taking into consideration access to family doctors, af- 
fordability and other factors that best fit their family. Those who have been happy with their current health care plans 
are now being forced to find new plans and must navigate the maze of new regulations in doing so. 

As a parent of two children, I want to have the peace of mind that when my children get sick, I am able to take them to 
our local doctor and make sure they get the treatment they need. The letter I received about my plan being dropped 
creates a genuine uncertainty about how my health care is going to be administered. Like millions of other Americans, 
my wife and I are now working to understand what our health care coverage will look like in 2014 and beyond. 

The letter I received last month has only served to renew my resolve to repeal this law. We need to ensure that 
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people have better access to care with lower costs. The president’s health care law expands coverage, but families, 
small businesses, and young people are already seeing the skyrocketing costs. 

I know my family's situation is not unique. Unfortunately, this is happening to too many families and individuals all 
over the country, and it is for them and for all Americans that House Republicans remain committed to fighting this 
law. But we need your help. 

Have you or someone you know lost your health care coverage as a result of the President's health care law? Share 
your story with House Republicans at our new website, GOP.gov/YourStory. Stories like yours and mine are more 
reasons for House Republicans to continue focusing on patient-centered reforms, not government-centered health 
care. 

The president has made a promise that he couldn't keep. Share your Obamacare story and help us hold the adminis- 
tration accountable. 


. HOUSE RtPUBUCAN CONFERENCE 
ttair Cathy McMorns Rodgers 
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Fact Sheets 

Fast Facts 

• No one, not even the Administration, knows the full extent of the technical problems. 

• The Administration spent $267 million for the underlying system and a total of $500 million on the online effort, 
including back-end systems. To put into perspective, Facebook operated for six years before surpassing the 
$500 million mark : Twitter brought in $300.17 million before getting a boost in 2011. And finally, Instagram 
generated $57.5 million before Facebook acquired it. 

• To date, HHS has awarded approximately $3.8 billion to establish, plan, and innovate exchanges. 

• Both GAO and Office of Inspector General issued reports prior to October 1 , 2013 highlighting vulnerabilities, 
particularly for the data hub. 

• The Administration knows it needs seven million individuals to enroll in 2014 to be financially sustainable. 

• 6200 people completed applications on October 1 , 2013. 

• During the first week, about 51.000 people completed an online application. 

• According to a Washington Post-ABC News poll, fifty-s ix percent of Americans believe that the website's flaws 
"reflect larger problems with the health care law." 

Courtesy ot House Ways & Means Committee 

Republicans are still committed to full repeal. To date, Republicans have secured numerous repeals and cuts 

to the law: 


Although the Democrat-led Senate still refuses to take up legislation to fully repeal Obamacare, House Republicans 
have not stopped looking for ways to defund it, resulting in nearly $55 billion being taken out of Obamacare as efforts 
continue into the 1 1 3th Congress and beyond: 


Obamacare Repeal/Cut Provisions That Are Now Law 

Savings 

Reducing wasteful and fraudulent overpayments of taxpayer-funded subsidies (P.L. 112-9) 

$24.9 billion 

Striking the Democrats’ overly-generous eligibility criteria for taxpayer-subsidized health cover- 
age to more closely align eligibility with other federally-means tested programs (P.L, 1 12-56) 

$13 billion 

Slashing funding for Harkin “Prevention" Fund (P.L. 112-96) 

$5 billion 

Rebase Medicaid Disproportionate Share Hospital allotments (P.L. 112-96) 

$4 billion 

Eliminating funding for the "Louisiana Purchase” (P.L. 112-96) 

$2.5 billion 

Cuts to Obamacare Co-Ops (P.L. 112-10) 

$2.2 billion 

Obamacare's so-called "Free-Choice" vouchers (P.L. 112-10) 

$400 million 

Rescinds funding for the Democrats' rationing board in FY 201 2 (P.L. 1 1 2-74) 

$10 million 

Repeal of unsustainable CLASS program (P.L. 112-240) 

N/A 

Further rescissions in funding for the "Louisiana Purchase" (P.L. 1 1 2-1 41 ) 

$670 million 

Eliminate remaining funding for Co-Ops (P.L. 112-240) 

$2.3 billion 

TOTAL 

$54.97 billion 
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In addition to the provisions above, President Obama also signed into law the repeal of the onerous 1099 IRS report- 
ing provision in his health care law. This will save American businesses countless hours and dollars in compliance 
costs, freeing up money to hire new workers or retain existing ones during tough economic times. The President also 
signed the Budget Control Act (P.L. 1 1 2-25) into law, which will force the White House Office of Management and 
Budget to adopt billions of dollars in across-the-board cuts to Obamacare. 

The House has also voted to cut or repeal a number of Obamacare provisions that the Senate refuses to consider, 
including: 

• Reducing wasteful and fraudulent overpayments of taxpayer-funded subsidies even further (H.R. 3630) 

• Additional cuts to the Harkin Fund (H.R. 1 21 7 and H.R. 3630) 

■ Repealing the Democrats' rationing board (H.R. 5) 

• Eliminating a new entitlement program that Obama Administration officials agree is unsustainable (H.R. 1 1 73) 

• Ensuring that the long standing Hyde amendment is applied consistently, prohibiting the use of taxpayer 
money in the expanded Medicaid program and the new health insurance exchanges (H.R. 3 and H.R. 358) 

• Allowing physician-owned hospitals to grow and expand to meet the needs of patients in their area (H.R. 3630) 

• Repealing funding for health insurance exchanges (H.R. 1213) 

• Repealing funding for SBHC construction (H.R. 1214) 

• Converting funding for graduate medical education in qualified teaching health centers to an authorization of 
appropriations (H.R. 1216) 

• Delaying the arduous individual and employer mandates from Obamacare (H.R. 2667 & 2668) 

Obamacare Timeline 


Date 1 Provision 

Higher Costs and Taxes - 2013 

January 1, 2013 

Limitation on flexible savings account contributions to $2,500 per year (indexed to CPI). 
Employers may adopt retroactive amendments to impose the $2,500 limit before December, 
2014. 


Imposition of a 0.9 percent Medicare Part A wage tax and a 3.8 percent tax on unearned, 
non-active business income for those earning over $200,000 or $250,000 for families (not 
indexed to inflation) 


Imposition of a 2.3 percent excise tax on medical devices 


Increase in the income threshold for claiming tax deductions for medical expenses from 7.5 
percent to 10 percent 


Elimination of the existing deduction for employers who maintain prescription drug plans 


Increase in Medicaid payment rates to primary care physicians for primary care services to 

100 percent of the Medicare payment rate for 2013 and 2014 

July 1,2013 

Mandated Consumer Operated and Oriented Plan (CO-OP) nonprofit, member-run health 
insurance companies go into operation. 
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Date 

Provision 


The Secretary, in conjunction with the NAIC, issues regulations on health care choice 
compacts which allow states to enter into agreements regarding which health plans could be 
offered in the markets in all States, but only be subject to the laws of the State where the plan 
was created. 

October 1,2013 

Cuts to Medicare payments to hospitals for treating low-income seniors' 


Start of open enrollment in Health Insurance Marketplace 


Cuts to federal Medicaid payments for Disproportionate Share Hospitals from $18.1 billion to 
$14.1 billion (beginning FY 2014) 

November 15, 2013 

The Administration indicated it will roll out enrollment data. 

December 15, 2013 

Deadline for enrollment in order to be covered on January 1 , 2014. 

More Government, Higher Costs 

January 1, 2014 

Implementation of Health Insurance Marketplace (Exchanges) - 1 7 states plus DC will 
implement their own exchanges, 7 in partnership with federal government, remaining 26 
states will be run by the federal government 


Prohibition on annual limits or coverage restrictions on pre-existing conditions (guaranteed 
issue/renewability). 


Extension of prohibition on excessive waiting periods (90 days) to existing health plans 


Imposition of modified community ratings: family versus individual; geography; 3:1 ratio for 
age and 1 .5:1 for smoking 


Imposition of government-defined “essential benefits” and coverage levels on insurance plans 


limitation on out-of-pocket cost sharing (tied to limits in HSAs). Limits are $6,250 for 
individuals and $12,700 for families (indexed for COLA) 


Implementation of premium subsidies for insurance purchased in the Health Insurance 
Marketplace - amounts of subsidies are dependent on income and available up to 400 
percent of the federal poverty line 


Requirement that federal government offer at least two multi-state plans in every state 

Higher Taxes 

January 1, 2014 

Imposition of new health insurance industry tax (increase will be $8 billion in 201 4, $1 1 ,3 
billion in 2015 and 2016, $13.9 billion in 2017, and $14,3 billion in 2018 and indexed to 
medical cost growth afterwards 


Imposition of individual mandate. Individuals who fail to obtain acceptable insurance will incur 
a penalty tax of the greater: $695 or 2.5 percent of income. For families without approved 
coverage, penalties are capped at $2,250 until 2016 and then indexed for inflation 

Higher Costs/Lost Coverage/Lost Jobs/Employer Mandates 

January 1,2014 

Imposition of the Employer mandate. Employers with 50 full time employees or more who fail 
to offer "affordable" coverage must pay a $3,000 penalty for every low-income employee that 
receives a subsidy through the Exchange, even if coverage is already provided 


Imposition of $2,000 tax penalty on employers who employ more than 50 full time employees 
and don’t provide insurance coverage. Penalty assessed for every full time employee. Up to 

30 full time employees are exempt when calculating penalty 


Require employers with more than 200 employees to auto-enroll employees in health 
coverage, with opt-out options 
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Date 1 Provision 

Decreased Access and a Weakened Safety Net 

January 1,2014 

Continued cuts to Medicare home health reimbursement 


Cuts to Medicare payments to Disproportionate Share Hospitals 


Expansion of Medicaid coverage to 22 million childless adults up to 1 38 percent of the federal 
poverty line - diminishing resources for vulnerable populations. States will receive 1 00 
percent of the FMAP 2014-2016, 95 percent in 2017, 94 percent in 2018, and 90 percent after 

January 15, 2014 

Submission of IPAB recommendations. The IPAB annual report on system-wide healthcare 
costs is submitted on July 1 . IPAB submits recommendations to slow the growth of health 
care expenditures January 1, 2015. 

Further Costs after 2014 

January 1, 2015 

Implementation of payments tied to quality of care 


Continued cuts to Medicare reimbursements lor home health care 

January 1, 2016 

Healthcare Choice Compacts go into effect. 

January 1 , 201 7 

States may allow businesses with more than 100 employees to purchase insurance in the 
exchange 

January 1, 2018 

imposition of the "40 percent" excise tax on "high value" or "Cadillac plans” 


1 http://www.californiahealthline.org/articles/201 3/5/14/cms-outlines-cuts-to-hospitals-that-treaMowincome-patients. 
aspx 
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GAO 

Report to Congressional Committees 
October 2011 

INFORMATION TECHNOLOGY Critical Factors Underlying Successful Major Acquisitions 
http://www.gao.eov/assets/590/585842.pdf 
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